Re: calibre / CVE-2018-7889

[Brian May <bam@debian.org>]

Antoine Beaupré <anarcat@orangeseeds.org> writes:

> So I am wondering whether simply changing the serialization format is
> the right approach after all: exported data still has executable code
> and the patch is not sufficient to make arbitrary imports safe.

It sounds like this patch will be some benefit, but very possibly
insignificant for anybody using calibre normally. It does solve the
problem for bookmarks, but not for data.

> Maybe we should just make sure that imports have a popup warning as they
> now do in the latest upstream. Of course this leads to warning fatigue
> and is not a proper security policy, but it's upstream's choice at this
> stage.
>
> Do we have such a warning in wheezy already?

I don't think there is any warning.

I am not convinced adding a warning would help either. An attacker would
leave instructions with his mallacious bookmark files saying "please
bypass the warnings" when installing this. No doubt some users probably
would bypass the warnings without understanding the issues, as per the
instructions.

I believe the intention of this mechanism is to allow you to
backup/restore your own data. In which case it is 100% fine. The problem
occurs when using it to transfer data to/from other users (does this
actually happen?) or if a user is tricked into doing so (I think I could
think of easier ways of tricking users into running an exploit).

My feeling is that the root cause of the problem is having the data
files contain plugins. It sounds like this is the code for the plugins,
not just a reference. However changing this would require upstream
accept the change, and I am somewhat skeptical this is going to happen.
-- 
Brian May <bam@debian.org>