Your message dated Tue, 02 Jun 2026 19:17:06 +0000
with message-id <[email protected]>
and subject line Bug#1135543: fixed in calibre 8.5.0+ds-1+deb13u3
has caused the Debian Bug report #1135543,
regarding calibre: upstream 9.8 contains unannounced security fixes; please
review affected Debian versions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135543: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135543
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: calibre
Severity: important
Tags: security upstream
Dear Maintainer,
I would like to report that upstream calibre contains a public commit titled
"Fix security vulnerabilities and code quality issues":
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
The commit date is Tue, 21 Apr 2026. The commit message explicitly lists
multiple security-related fixes, including:
High severity:
- Fix typo normapth -> normpath in srv/content.py (broken endpoint)
- Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
- Log exceptions in FunctionDispatcher.dispatch instead of swallowing
Medium severity:
- Add path traversal protection to DirContainer read/write/exists
- Fix XPath injection in comments_editor.py merge_contiguous_links
- Use parameterized SQL queries in database2.py library_id setter
- Add safety comment to pickle_loads in utils/serialize.py
However, these fixes do not appear to be mentioned in the upstream calibre
9.8 release notes:
https://calibre-ebook.com/whats-new
The 9.8 release notes list new features and ordinary bug fixes, but I do not
see these security-related fixes or CVE references mentioned there.
Debian unstable currently has calibre 9.8.0+ds+~0.10.5-1, which appears likely
to include the upstream fixes. However, Debian testing/stable/backports may
still contain older versions, so I think this should be reviewed for Debian
security tracking and possible backports.
Please could you check whether the issues fixed by the upstream commit affect
the Debian-packaged versions, especially testing/stable/backports, and whether
they should receive CVE/security-tracker entries or Debian security updates?
I am not including exploit details; the concern is based on the public upstream
commit message and the absence of corresponding release-note/security-tracker
visibility.
Relevant upstream commit:
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
Upstream 9.8 release notes:
https://calibre-ebook.com/whats-new
Debian package tracker:
https://tracker.debian.org/pkg/calibre
--- End Message ---
--- Begin Message ---
Source: calibre
Source-Version: 8.5.0+ds-1+deb13u3
Done: YOKOTA Hiroshi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
YOKOTA Hiroshi <[email protected]> (supplier of updated calibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 08:19:53 +0900
Source: calibre
Architecture: source
Version: 8.5.0+ds-1+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Calibre maintainer team <[email protected]>
Changed-By: YOKOTA Hiroshi <[email protected]>
Closes: 1135543
Changes:
calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium
.
* Fix security vulnerabilities and code quality issues (Closes: #1135543)
* CVE-2026-30853: RB Input: Ensure files are extracted within container
dir
* CVE-2026-33205 (1/2): E-book viewer: prevent reading background images
from outside the config dir
* CVE-2026-33205 (2/2): E-book viewer: Disallow background images from
the internet. This was an unused feature anyway
* CVE-2026-33206: TXT Input: Ensure resource files are read only from
book contents
Checksums-Sha1:
7860dfcfecf1c9836bf3a0d313cb8f4b4ea199ce 3681 calibre_8.5.0+ds-1+deb13u3.dsc
92006444859ce3a071d98ee164711b3dd88e9cf7 895400
calibre_8.5.0+ds-1+deb13u3.debian.tar.xz
6119fa9753e877bb8030920c298d204a28f9c5f8 23916
calibre_8.5.0+ds-1+deb13u3_source.buildinfo
Checksums-Sha256:
259786eb12734e4ab6a714ab4b06fa9d90bb923c4424e3138d1b6ad057436dc6 3681
calibre_8.5.0+ds-1+deb13u3.dsc
228513db804f75762cad9591aa1ec1fd91b8b1a6ff5c3c12abe9ccb4d5c5fed5 895400
calibre_8.5.0+ds-1+deb13u3.debian.tar.xz
048f06bc137fa90135a9abcec20a4b47e9e45788fbb8d80ecc2c6f44210774e0 23916
calibre_8.5.0+ds-1+deb13u3_source.buildinfo
Files:
2c2f864e2e30683f569109517f0614d4 3681 text optional
calibre_8.5.0+ds-1+deb13u3.dsc
53e8503a3559155a527aadb408aaabfb 895400 text optional
calibre_8.5.0+ds-1+deb13u3.debian.tar.xz
be764f9cc66d1604b72b0aa9b82e75ef 23916 text optional
calibre_8.5.0+ds-1+deb13u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmodMmgWHHlva290YS5o
Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyjHKD/9tzyYBjC6F56Ksnn/eKVgZHYUG
eirk86rs+uhlS2vQ/QDtQ3i7MLuvrnDeRpxsxnNppRDFQTVhdlKUd+MNJ6Msium6
zU8DWA5IAKNgLX1NMOCbCuADGUfi2efTjbFkNdmKKZVQXtSBwyXDgf9yWBA8LHCv
FhxjefioUvTAk6l4QY4vtj8b7Q27xnb0pedsxNLhr8rH/Kw6DlEk4QItL183TPf0
sO3sopIBimWtyVWSbMoneGk0VqhalNtiCZP7z555BfYgBUEADAUuF+dgRdkDO4hu
VODIo9SnHnFQ/5LPDKluiQntJ7BOX46P8tp3B6PuSblOjUOCVrak1lMcyzLtMdTX
/y6yFi6KzOrYRQyDorTsSpaULPO1YgZifSKqAxb5O9+xVlM+XZKhDVv1rdyTddtc
FK4VXulQPqn/x+kpkI5HHqiFirS8pNyVk8BQ0VMmKJS6+NWFobgS89UjFBMOCBhf
Pcb3Yz+lREH/jyjjDXSfUyWSTd7q163rbEGx4DSOt3G6fF6ZhUS3qQvvnDGM/Ao/
gLGjt9XKyMwq8af3zB69sbREff3a/QzyNoJy+75/RogWMkHQZeBhRRgV9bL05R5s
fkZYYLb756mfDF/qjXphFtAvElVdj9eePMXXD6twitTOuNqjZimah5GNWFdMkM//
CU+6FnATt4HDmYvfuA==
=AQgN
-----END PGP SIGNATURE-----
pgph6gk8MuypM.pgp
Description: PGP signature
--- End Message ---
