Bug#1060668: marked as done (bookworm-pu: package calibre/6.13.0+repack-2+deb12u3)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1060668: marked as done (bookworm-pu: package calibre/6.13.0+repack-2+deb12u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:16:12 +0000
Message-id: <[🔎] handler.1060668.D1060668.1707570686684094.ackdone@bugs.debian.org>
Reply-to: 1060668@bugs.debian.org
References: <E1rYn8b-002yb5-9O@coccia.debian.org> <170506102486.67650.15468586761900335658.reportbug@loadstone.darkstar.local>

Your message dated Sat, 10 Feb 2024 13:11:21 +0000
with message-id <E1rYn8b-002yb5-9O@coccia.debian.org>
and subject line Released with 12.5
has caused the Debian Bug report #1060668,
regarding bookworm-pu: package calibre/6.13.0+repack-2+deb12u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1060668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060668
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package calibre/6.13.0+repack-2+deb12u3
From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
Date: Fri, 12 Jan 2024 21:03:44 +0900
Message-id: <170506102486.67650.15468586761900335658.reportbug@loadstone.darkstar.local>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: calibre@packages.debian.org, yokota.hgml@gmail.com, security@debian.org
Control: affects -1 + src:calibre


[ Reason ]
Fix CVE-2023-46303.
https://security-tracker.debian.org/tracker/CVE-2023-46303

[ Impact ]
CVE-2023-46303 is unfixed.

[ Tests ]
Build time test was passed.

[ Risks ]
This fix is already applied for Debian 11 backports
calibre/5.44.0+dfsg-1~bpo11+2.
  https://github.com/debian-calibre/calibre/pull/10

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add upstream fix:
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b

[ Other info ]
Debian security tracker:
  https://security-tracker.debian.org/tracker/CVE-2023-46303
Upstream fix:
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b
Fix for Debian 11 backports:
  https://github.com/debian-calibre/calibre/pull/10

diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog	2023-10-14 11:48:44.000000000 +0900
+++ calibre-6.13.0+repack/debian/changelog	2024-01-12 20:16:45.000000000 +0900
@@ -1,3 +1,11 @@
+calibre (6.13.0+repack-2+deb12u3) bookworm; urgency=medium
+
+  * HTML Input: Dont add resources that exist outside the folder hierarchy
+    rooted at the parent folder of the input HTML file by default (Fix for
+    CVE-2023-46303)
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com>  Fri, 12 Jan 2024 20:16:45 +0900
+
 calibre (6.13.0+repack-2+deb12u2) bookworm; urgency=medium
 
   * fix crash in Get Books when regenerating UIC files (Closes: #1053899)
diff -Nru calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
--- calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch	1970-01-01 09:00:00.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch	2024-01-12 19:24:57.000000000 +0900
@@ -0,0 +1,55 @@
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Sun, 28 May 2023 14:03:15 +0530
+Subject: HTML Input: Dont add resources that exist outside the folder
+ hierarchy rooted at the parent folder of the input HTML file by default
+
+Origin: backport, https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-46303
+
+Fix for CVE-2023-46303
+---
+ src/calibre/ebooks/conversion/plugins/html_input.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/html_input.py b/src/calibre/ebooks/conversion/plugins/html_input.py
+index ca5b729..eb26b5c 100644
+--- a/src/calibre/ebooks/conversion/plugins/html_input.py
++++ b/src/calibre/ebooks/conversion/plugins/html_input.py
+@@ -64,6 +64,16 @@ class HTMLInput(InputFormatPlugin):
+                 )
+         ),
+ 
++        OptionRecommendation(name='allow_local_files_outside_root',
++            recommended_value=False, level=OptionRecommendation.LOW,
++            help=_('Normally, resources linked to by the HTML file or its children will only be allowed'
++                   ' if they are in a sub-folder of the original HTML file. This option allows including'
++                   ' local files from any location on your computer. This can be a security risk if you'
++                   ' are converting untrusted HTML and expecting to distribute the result of the conversion.'
++                )
++        ),
++
++
+     }
+ 
+     def convert(self, stream, opts, file_ext, log,
+@@ -76,6 +86,7 @@ class HTMLInput(InputFormatPlugin):
+         if hasattr(stream, 'name'):
+             basedir = os.path.dirname(stream.name)
+             fname = os.path.basename(stream.name)
++        self.root_dir_of_input = os.path.abspath(basedir) + os.sep
+ 
+         if file_ext != 'opf':
+             if opts.dont_package:
+@@ -250,6 +261,11 @@ class HTMLInput(InputFormatPlugin):
+         frag = l.fragment
+         if not link:
+             return None, None
++        link = os.path.abspath(os.path.realpath(link))
++        if not link.startswith(self.root_dir_of_input):
++            if not self.opts.allow_local_files_outside_root:
++                self.log.warn('Not adding {} as it is outside the document root: {}'.format(link, self.root_dir_of_input))
++                return None, None
+         return link, frag
+ 
+     def resource_adder(self, link_, base=None):
diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series	2023-10-14 11:48:44.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/series	2024-01-12 19:24:57.000000000 +0900
@@ -28,3 +28,4 @@
 0028-TypeError-HistoryLineEdit.__init__-got-an-unexpected.patch
 0029-ERROR-Unhandled-exception-when-opening-Settings-Savi.patch
 0030-fix-crash-in-Get-Books-when-regenerating-UIC-files-C.patch
+0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch

--- End Message ---

--- Begin Message ---

To: 1060668-done@bugs.debian.org

Subject: Released with 12.5

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:11:21 +0000

Message-id: <E1rYn8b-002yb5-9O@coccia.debian.org>
Version: 12.5

The upload requested in this bug has been released as part of 12.5.
--- End Message ---

Reply to:

Prev by Date: Bug#1060129: marked as done (bookworm-pu: package libmateweather/1.26.0-1.1+deb12u2)
Next by Date: Bug#1060186: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u2)
Previous by thread: Bug#1060129: marked as done (bookworm-pu: package libmateweather/1.26.0-1.1+deb12u2)
Next by thread: Bug#1060186: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u2)
Index(es):
- Date
- Thread