Bug#1060668: bookworm-pu: package calibre/6.13.0+repack-2+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: calibre@packages.debian.org, yokota.hgml@gmail.com, security@debian.org
Control: affects -1 + src:calibre
[ Reason ]
Fix CVE-2023-46303.
https://security-tracker.debian.org/tracker/CVE-2023-46303
[ Impact ]
CVE-2023-46303 is unfixed.
[ Tests ]
Build time test was passed.
[ Risks ]
This fix is already applied for Debian 11 backports
calibre/5.44.0+dfsg-1~bpo11+2.
https://github.com/debian-calibre/calibre/pull/10
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add upstream fix:
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b
[ Other info ]
Debian security tracker:
https://security-tracker.debian.org/tracker/CVE-2023-46303
Upstream fix:
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b
Fix for Debian 11 backports:
https://github.com/debian-calibre/calibre/pull/10
diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog 2023-10-14 11:48:44.000000000 +0900
+++ calibre-6.13.0+repack/debian/changelog 2024-01-12 20:16:45.000000000 +0900
@@ -1,3 +1,11 @@
+calibre (6.13.0+repack-2+deb12u3) bookworm; urgency=medium
+
+ * HTML Input: Dont add resources that exist outside the folder hierarchy
+ rooted at the parent folder of the input HTML file by default (Fix for
+ CVE-2023-46303)
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com> Fri, 12 Jan 2024 20:16:45 +0900
+
calibre (6.13.0+repack-2+deb12u2) bookworm; urgency=medium
* fix crash in Get Books when regenerating UIC files (Closes: #1053899)
diff -Nru calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
--- calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch 1970-01-01 09:00:00.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch 2024-01-12 19:24:57.000000000 +0900
@@ -0,0 +1,55 @@
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Sun, 28 May 2023 14:03:15 +0530
+Subject: HTML Input: Dont add resources that exist outside the folder
+ hierarchy rooted at the parent folder of the input HTML file by default
+
+Origin: backport, https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-46303
+
+Fix for CVE-2023-46303
+---
+ src/calibre/ebooks/conversion/plugins/html_input.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/html_input.py b/src/calibre/ebooks/conversion/plugins/html_input.py
+index ca5b729..eb26b5c 100644
+--- a/src/calibre/ebooks/conversion/plugins/html_input.py
++++ b/src/calibre/ebooks/conversion/plugins/html_input.py
+@@ -64,6 +64,16 @@ class HTMLInput(InputFormatPlugin):
+ )
+ ),
+
++ OptionRecommendation(name='allow_local_files_outside_root',
++ recommended_value=False, level=OptionRecommendation.LOW,
++ help=_('Normally, resources linked to by the HTML file or its children will only be allowed'
++ ' if they are in a sub-folder of the original HTML file. This option allows including'
++ ' local files from any location on your computer. This can be a security risk if you'
++ ' are converting untrusted HTML and expecting to distribute the result of the conversion.'
++ )
++ ),
++
++
+ }
+
+ def convert(self, stream, opts, file_ext, log,
+@@ -76,6 +86,7 @@ class HTMLInput(InputFormatPlugin):
+ if hasattr(stream, 'name'):
+ basedir = os.path.dirname(stream.name)
+ fname = os.path.basename(stream.name)
++ self.root_dir_of_input = os.path.abspath(basedir) + os.sep
+
+ if file_ext != 'opf':
+ if opts.dont_package:
+@@ -250,6 +261,11 @@ class HTMLInput(InputFormatPlugin):
+ frag = l.fragment
+ if not link:
+ return None, None
++ link = os.path.abspath(os.path.realpath(link))
++ if not link.startswith(self.root_dir_of_input):
++ if not self.opts.allow_local_files_outside_root:
++ self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input))
++ return None, None
+ return link, frag
+
+ def resource_adder(self, link_, base=None):
diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series 2023-10-14 11:48:44.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/series 2024-01-12 19:24:57.000000000 +0900
@@ -28,3 +28,4 @@
0028-TypeError-HistoryLineEdit.__init__-got-an-unexpected.patch
0029-ERROR-Unhandled-exception-when-opening-Settings-Savi.patch
0030-fix-crash-in-Get-Books-when-regenerating-UIC-files-C.patch
+0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
Reply to: