[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1079597: marked as done (bullseye-pu: package calibre/5.12.0+dfsg-1+deb11u2)

Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.camel@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1079597,
regarding bullseye-pu: package calibre/5.12.0+dfsg-1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1079597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079597
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye, security
X-Debbugs-Cc: calibre@packages.debian.org, team@security.debian.org, yokota.hgml@gmail.com
Control: affects -1 + src:calibre
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fix these CVEs:
* CVE-2024-7008
* CVE-2024-7009

[ Impact ]
Some security problems are unfixed.
* cross-site scripting
* SQL injection

[ Tests ]
Build and automated build-time tests were succeeded.

[ Risks ]
Not fully tested on bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Fix CVE-2024-7008
* Fix CVE-2024-7009

[ Other info ]
You can examine commits from online:
> https://github.com/debian-calibre/calibre/tree/bullseye-update

diff --git a/debian/changelog b/debian/changelog
index 33068fc40c..a7a13add8a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+calibre (5.12.0+dfsg-1+deb11u2) bullseye; urgency=medium
+
+  * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131)
+    (Fix for CVE-2024-7009)
+  * Fix #2075130 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075130)
+    (Fix for CVE-2024-7008)
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com>  Sun, 25 Aug 2024 13:32:32 +0900
+
 calibre (5.12.0+dfsg-1+deb11u1) bullseye; urgency=medium
 
   * Avoid to use embedded assignment syntax (Closes: #998744)
diff --git a/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
new file mode 100644
index 0000000000..5c4a925777
--- /dev/null
+++ b/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
@@ -0,0 +1,42 @@
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Tue, 30 Jul 2024 13:36:39 +0530
+Subject: Fix #2075131 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/2075131)
+
+Origin: backport, https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7009
+---
+ src/calibre/db/backend.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/calibre/db/backend.py b/src/calibre/db/backend.py
+index 55526b7..bae5b35 100644
+--- a/src/calibre/db/backend.py
++++ b/src/calibre/db/backend.py
+@@ -1803,18 +1803,20 @@ class DB(object):
+     ):
+         fts_table = 'annotations_fts_stemmed' if use_stemming else 'annotations_fts'
+         text = 'annotations.searchable_text'
++        data = []
+         if highlight_start is not None and highlight_end is not None:
+             if snippet_size is not None:
+-                text = 'snippet({fts_table}, 0, "{highlight_start}", "{highlight_end}", "…", {snippet_size})'.format(
+-                        fts_table=fts_table, highlight_start=highlight_start, highlight_end=highlight_end,
+-                        snippet_size=max(1, min(snippet_size, 64)))
++                text = "snippet({fts_table}, 0, ?, ?, '…', {snippet_size})".format(
++                        fts_table=fts_table, snippet_size=max(1, min(snippet_size, 64)))
+             else:
+-                text = 'highlight({}, 0, "{}", "{}")'.format(fts_table, highlight_start, highlight_end)
++                text = f"highlight({fts_table}, 0, ?, ?)"
++            data.append(highlight_start)
++            data.append(highlight_end)
+         query = 'SELECT {0}.id, {0}.book, {0}.format, {0}.user_type, {0}.user, {0}.annot_data, {1} FROM {0} '
+         query = query.format('annotations', text)
+         query += ' JOIN {fts_table} ON annotations.id = {fts_table}.rowid'.format(fts_table=fts_table)
+         query += ' WHERE {fts_table} MATCH ?'.format(fts_table=fts_table)
+-        data = [fts_engine_query]
++        data.append(fts_engine_query)
+         if restrict_to_user:
+             query += ' AND annotations.user_type = ? AND annotations.user = ?'
+             data += list(restrict_to_user)
diff --git a/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
new file mode 100644
index 0000000000..060fe0b9b4
--- /dev/null
+++ b/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
@@ -0,0 +1,25 @@
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Tue, 30 Jul 2024 13:40:21 +0530
+Subject: Fix #2075130 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/2075130)
+
+Origin: backport, https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7008
+---
+ src/calibre/srv/legacy.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py
+index c3a782e..e8722f0 100644
+--- a/src/calibre/srv/legacy.py
++++ b/src/calibre/srv/legacy.py
+@@ -256,7 +256,7 @@ def browse(ctx, rd, rest):
+     if rest.startswith('book/'):
+         # implementation of https://bugs.launchpad.net/calibre/+bug/1698411
+         # redirect old server book URLs to new URLs
+-        redirect = ctx.url_for(None) + '#book_id=' + rest[5:] + "&amp;panel=book_details"
++        redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) + "&amp;panel=book_details"
+         from lxml import etree as ET
+         return html(ctx, rd, endpoint,
+                  E.html(E.head(
diff --git a/debian/patches/series b/debian/patches/series
index a5a2fd7599..3d09f2b3ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,5 @@
 0009-dont-use-python-crypto.patch
 0010-Restore-chardet-module-support.patch
 0011-Avoid-to-use-embedded-assignment-syntax-Closes-99874.patch
+0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
+0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.11

Hi,

Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.

Regards,

Adam

--- End Message ---
Reply to: