--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:calibre
User: [email protected]
Usertags: pu
[ Reason ]
Fix these CVEs.
CVE-2026-30853: Path Traversal Leading to Arbitrary File Write
CVE-2026-33205: Server-Side Request Forgery in ebook viewer backend
CVE-2026-33206: Path traversal allows reading arbitrary files when converting a
text-based file
[ Impact ]
CVEs (max severity: 8.2/10) are unfixed.
[ Tests ]
Automated build-time test was successful.
[ Risks ]
Not well tested on trixie machine.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix for CVE-2026-30853
* Fix for CVE-2026-33205
* Fix for CVE-2026-33206
[ Other info ]
deb13u3 fix is not confirmed by release team yet.
So, please confirm deb13u3 fix first.
> trixie-pu: package calibre/8.5.0+ds-1+deb13u3
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136055
You can examine this fix from online:
https://github.com/debian-
calibre/calibre/compare/15e9d5649d1ff27e8bbd033309546080c0b8797c...debian/trixie
diff -Nru calibre-8.5.0+ds/debian/changelog calibre-8.5.0+ds/debian/changelog
--- calibre-8.5.0+ds/debian/changelog 2026-05-10 17:09:13.000000000 +0900
+++ calibre-8.5.0+ds/debian/changelog 2026-05-24 13:42:03.000000000 +0900
@@ -1,3 +1,16 @@
+calibre (8.5.0+ds-1+deb13u4) trixie; urgency=medium
+
+ * CVE-2026-30853: RB Input: Ensure files are extracted within container
+ dir
+ * CVE-2026-33205 (1/2): E-book viewer: prevent reading background images
+ from outside the config dir
+ * CVE-2026-33205 (2/2): E-book viewer: Disallow background images from
+ the internet. This was an unused feature anyway
+ * CVE-2026-33206: TXT Input: Ensure resource files are read only from
+ book contents
+
+ -- YOKOTA Hiroshi <[email protected]> Sun, 24 May 2026 13:42:03 +0900
+
calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium
* Fix security vulnerabilities and code quality issues (Closes: #1135543)
diff -Nru calibre-8.5.0+ds/debian/patches/series
calibre-8.5.0+ds/debian/patches/series
--- calibre-8.5.0+ds/debian/patches/series 2026-05-10 17:09:13.000000000
+0900
+++ calibre-8.5.0+ds/debian/patches/series 2026-05-24 13:33:35.000000000
+0900
@@ -88,3 +88,7 @@
upstream/0088-CVE-2026-27810-Content-server-Sanitize-content-dispo.patch
upstream/0089-CVE-2026-27824-Content-server-When-banning-IPs-for-r.patch
upstream/0090-Fix-security-vulnerabilities-and-code-quality-issues.patch
+upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
+upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
+upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
+upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
diff -Nru
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
---
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
1970-01-01 09:00:00.000000000 +0900
+++
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,58 @@
+From: Kovid Goyal <[email protected]>
+Date: Fri, 6 Mar 2026 07:39:44 +0530
+Subject: CVE-2026-30853: RB Input: Ensure files are extracted within
+ container dir
+
+Forwarded: not-needed
+Bug:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
+Origin:
https://github.com/kovidgoyal/calibre/commit/0f8dc639337d9ace67201e15ca12d5906d05f4c8
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/rb/reader.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/calibre/ebooks/rb/reader.py b/src/calibre/ebooks/rb/reader.py
+index c1f77dd..b13066a 100644
+--- a/src/calibre/ebooks/rb/reader.py
++++ b/src/calibre/ebooks/rb/reader.py
+@@ -67,6 +67,15 @@ class Reader:
+
+ return toc
+
++ def get_safe_path(self, output_dir, name):
++ base = os.path.abspath(output_dir)
++ if not base.endswith(os.sep):
++ base += os.sep
++ ans = os.path.abspath(os.path.join(base, name))
++ if os.path.commonprefix([ans, base]) != base:
++ ans = ''
++ return ans
++
+ def get_text(self, toc_item, output_dir):
+ if toc_item.flags in (1, 2):
+ return
+@@ -87,8 +96,9 @@ class Reader:
+ else:
+ output += self.stream.read(toc_item.size).decode('cp1252' if
self.encoding is None else self.encoding, 'replace')
+
+- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')),
'wb') as html:
+- html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8'))
++ if path := self.get_safe_path(output_dir,
toc_item.name.decode('utf-8')):
++ with open(path, 'wb') as html:
++ html.write(output.replace('<TITLE>', '<TITLE>
').encode('utf-8'))
+
+ def get_image(self, toc_item, output_dir):
+ if toc_item.flags != 0:
+@@ -97,8 +107,9 @@ class Reader:
+ self.stream.seek(toc_item.offset)
+ data = self.stream.read(toc_item.size)
+
+- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')),
'wb') as img:
+- img.write(data)
++ if path := self.get_safe_path(output_dir,
toc_item.name.decode('utf-8')):
++ with open(path, 'wb') as img:
++ img.write(data)
+
+ def extract_content(self, output_dir):
+ self.log.debug('Extracting content from file...')
diff -Nru
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
---
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
1970-01-01 09:00:00.000000000 +0900
+++
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,31 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:50:19 +0530
+Subject: CVE-2026-33205 (1/2): E-book viewer: prevent reading background
+ images from outside the config dir
+
+Forwarded: not-needed
+Bug:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
+Origin:
https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/gui2/viewer/web_view.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/calibre/gui2/viewer/web_view.py
b/src/calibre/gui2/viewer/web_view.py
+index d2116bb..e09688c 100644
+--- a/src/calibre/gui2/viewer/web_view.py
++++ b/src/calibre/gui2/viewer/web_view.py
+@@ -106,8 +106,11 @@ def background_image(encoded_fname=''):
+ except FileNotFoundError:
+ return 'image/jpeg', b''
+ fname = bytes.fromhex(encoded_fname).decode()
+- img_path = os.path.join(viewer_config_dir, 'background-images', fname)
++ base = os.path.abspath(os.path.join(viewer_config_dir,
'background-images')) + os.sep
++ img_path = os.path.abspath(os.path.join(base, fname))
+ mt = guess_type(fname)[0] or 'image/jpeg'
++ if not img_path.startswith(base):
++ return mt, b''
+ try:
+ with open(make_long_path_useable(img_path), 'rb') as f:
+ return mt, f.read()
diff -Nru
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
---
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
1970-01-01 09:00:00.000000000 +0900
+++
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,36 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:58:25 +0530
+Subject: CVE-2026-33205 (2/2): E-book viewer: Disallow background images from
+ the internet. This was an unused feature anyway
+
+Forwarded: not-needed
+Bug:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
+Origin:
https://github.com/kovidgoyal/calibre/commit/b1ef6a8142b8dadeb7e72c250c65d42b36ee7118
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/gui2/viewer/web_view.py | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/src/calibre/gui2/viewer/web_view.py
b/src/calibre/gui2/viewer/web_view.py
+index e09688c..9c8e237 100644
+--- a/src/calibre/gui2/viewer/web_view.py
++++ b/src/calibre/gui2/viewer/web_view.py
+@@ -115,17 +115,6 @@ def background_image(encoded_fname=''):
+ with open(make_long_path_useable(img_path), 'rb') as f:
+ return mt, f.read()
+ except FileNotFoundError:
+- if fname.startswith(('https://', 'http://')):
+- from calibre import browser
+- br = browser()
+- try:
+- with br.open(fname) as src:
+- data = src.read()
+- except Exception:
+- return mt, b''
+- with open(make_long_path_useable(img_path), 'wb') as dest:
+- dest.write(data)
+- return mt, data
+ return mt, b''
+
+
diff -Nru
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
---
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
1970-01-01 09:00:00.000000000 +0900
+++
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,27 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:37:16 +0530
+Subject: CVE-2026-33206: TXT Input: Ensure resource files are read only from
+ book contents
+
+Forwarded: not-needed
+Bug:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6
+Origin:
https://github.com/kovidgoyal/calibre/commit/c43f347837dbc00d9a7b5ff15a228b6f6081e290
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/conversion/plugins/txt_input.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/txt_input.py
b/src/calibre/ebooks/conversion/plugins/txt_input.py
+index d6d43a6..6bc8289 100644
+--- a/src/calibre/ebooks/conversion/plugins/txt_input.py
++++ b/src/calibre/ebooks/conversion/plugins/txt_input.py
+@@ -112,7 +112,7 @@ class TXTInput(InputFormatPlugin):
+ src = img.get('src')
+ prefix = src.split(':', 1)[0].lower()
+ if src and prefix not in ('file', 'http', 'https', 'ftp') and not
os.path.isabs(src):
+- src = os.path.join(base_dir, src)
++ src = os.path.abspath(os.path.join(base_dir, src))
+ if os.path.normcase(src).startswith(base_dir) and
os.path.isfile(src) and os.access(src, os.R_OK):
+ with open(src, 'rb') as f:
+ data = f.read()
--- End Message ---