Bug#1120423: bookworm-pu: package calibre/6.13.0+repack-2+deb12u5
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: calibre@packages.debian.org, yokota.hgml@gmail.com
Control: affects -1 + src:calibre
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix CVE-2025-64486
[ Impact ]
This bug can be leveraged to achieve arbitrary code execution.
[ Tests ]
Build time test was successful.
[ Risks ]
This bug can be leveraged to achieve arbitrary code execution.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply upstream fix:
https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5
You can examine changes from online:
https://github.com/debian-
calibre/calibre/compare/debian/6.13.0+repack-2+deb12u4...bookworm-update
[ Other info ]
Report of this issue by upstream:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog 2024-08-22 20:41:03.000000000 +0900
+++ calibre-6.13.0+repack/debian/changelog 2025-11-09 18:15:24.000000000 +0900
@@ -1,3 +1,9 @@
+calibre (6.13.0+repack-2+deb12u5) bookworm; urgency=medium
+
+ * Fix CVE-2025-64486
+
+ -- YOKOTA Hiroshi <yokota.hgml@gmail.com> Sun, 09 Nov 2025 18:15:24 +0900
+
calibre (6.13.0+repack-2+deb12u4) bookworm; urgency=medium
* Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131)
diff -Nru calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch
--- calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch 1970-01-01 09:00:00.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch 2025-11-09 18:13:16.000000000 +0900
@@ -0,0 +1,23 @@
+From: Kovid Goyal <kovid@kovidgoyal.net>
+Date: Thu, 6 Nov 2025 09:36:53 +0530
+Subject: Fix CVE-2025-64486
+
+Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
+Origin: https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5
+---
+ src/calibre/ebooks/conversion/plugins/fb2_input.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/fb2_input.py b/src/calibre/ebooks/conversion/plugins/fb2_input.py
+index dae3137..a71011b 100644
+--- a/src/calibre/ebooks/conversion/plugins/fb2_input.py
++++ b/src/calibre/ebooks/conversion/plugins/fb2_input.py
+@@ -161,7 +161,7 @@ class FB2Input(InputFormatPlugin):
+ from calibre.ebooks.fb2 import base64_decode
+ self.binary_map = {}
+ for elem in doc.xpath('./*'):
+- if elem.text and 'binary' in elem.tag and 'id' in elem.attrib:
++ if elem.text and 'binary' in elem.tag and elem.get('id', ''):
+ ct = elem.get('content-type', '')
+ fname = elem.attrib['id']
+ ext = ct.rpartition('/')[-1].lower()
diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series 2024-08-22 20:41:03.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/series 2025-11-09 18:13:16.000000000 +0900
@@ -33,3 +33,4 @@
0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
+0036-Fix-CVE-2025-64486.patch
Reply to: