Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1136055,
regarding trixie-pu: package calibre/8.5.0+ds-1+deb13u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136055
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:calibre
User: [email protected]
Usertags: pu


[ Reason ]

Fix these CVEs.
CVE-2026-30853: Path Traversal Leading to Arbitrary File Write
CVE-2026-33205: Server-Side Request Forgery in ebook viewer backend
CVE-2026-33206: Path traversal allows reading arbitrary files when converting a
text-based file

[ Impact ]
CVEs (max severity: 8.2/10) are unfixed.

[ Tests ]
Automated build-time test was successful.

[ Risks ]
Not well tested on trixie machine.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Fix for CVE-2026-30853
* Fix for CVE-2026-33205
* Fix for CVE-2026-33206

[ Other info ]
deb13u3 fix is not confirmed by release team yet.
So, please confirm deb13u3 fix first.
> trixie-pu: package calibre/8.5.0+ds-1+deb13u3
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136055

You can examine this fix from online:
https://github.com/debian-
calibre/calibre/compare/15e9d5649d1ff27e8bbd033309546080c0b8797c...debian/trixie
diff -Nru calibre-8.5.0+ds/debian/changelog calibre-8.5.0+ds/debian/changelog
--- calibre-8.5.0+ds/debian/changelog   2026-05-10 17:09:13.000000000 +0900
+++ calibre-8.5.0+ds/debian/changelog   2026-05-24 13:42:03.000000000 +0900
@@ -1,3 +1,16 @@
+calibre (8.5.0+ds-1+deb13u4) trixie; urgency=medium
+
+  * CVE-2026-30853: RB Input: Ensure files are extracted within container
+    dir
+  * CVE-2026-33205 (1/2): E-book viewer: prevent reading background images
+    from outside the config dir
+  * CVE-2026-33205 (2/2): E-book viewer: Disallow background images from
+    the internet. This was an unused feature anyway
+  * CVE-2026-33206: TXT Input: Ensure resource files are read only from
+    book contents
+
+ -- YOKOTA Hiroshi <[email protected]>  Sun, 24 May 2026 13:42:03 +0900
+
 calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium
 
   * Fix security vulnerabilities and code quality issues (Closes: #1135543)
diff -Nru calibre-8.5.0+ds/debian/patches/series 
calibre-8.5.0+ds/debian/patches/series
--- calibre-8.5.0+ds/debian/patches/series      2026-05-10 17:09:13.000000000 
+0900
+++ calibre-8.5.0+ds/debian/patches/series      2026-05-24 13:33:35.000000000 
+0900
@@ -88,3 +88,7 @@
 upstream/0088-CVE-2026-27810-Content-server-Sanitize-content-dispo.patch
 upstream/0089-CVE-2026-27824-Content-server-When-banning-IPs-for-r.patch
 upstream/0090-Fix-security-vulnerabilities-and-code-quality-issues.patch
+upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
+upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
+upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
+upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
diff -Nru 
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
 
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
--- 
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
    1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
    2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,58 @@
+From: Kovid Goyal <[email protected]>
+Date: Fri, 6 Mar 2026 07:39:44 +0530
+Subject: CVE-2026-30853: RB Input: Ensure files are extracted within
+ container dir
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
+Origin: 
https://github.com/kovidgoyal/calibre/commit/0f8dc639337d9ace67201e15ca12d5906d05f4c8
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/rb/reader.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/calibre/ebooks/rb/reader.py b/src/calibre/ebooks/rb/reader.py
+index c1f77dd..b13066a 100644
+--- a/src/calibre/ebooks/rb/reader.py
++++ b/src/calibre/ebooks/rb/reader.py
+@@ -67,6 +67,15 @@ class Reader:
+ 
+         return toc
+ 
++    def get_safe_path(self, output_dir, name):
++        base = os.path.abspath(output_dir)
++        if not base.endswith(os.sep):
++            base += os.sep
++        ans = os.path.abspath(os.path.join(base, name))
++        if os.path.commonprefix([ans, base]) != base:
++            ans = ''
++        return ans
++
+     def get_text(self, toc_item, output_dir):
+         if toc_item.flags in (1, 2):
+             return
+@@ -87,8 +96,9 @@ class Reader:
+         else:
+             output += self.stream.read(toc_item.size).decode('cp1252' if 
self.encoding is None else self.encoding, 'replace')
+ 
+-        with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 
'wb') as html:
+-            html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8'))
++        if path := self.get_safe_path(output_dir, 
toc_item.name.decode('utf-8')):
++            with open(path, 'wb') as html:
++                html.write(output.replace('<TITLE>', '<TITLE> 
').encode('utf-8'))
+ 
+     def get_image(self, toc_item, output_dir):
+         if toc_item.flags != 0:
+@@ -97,8 +107,9 @@ class Reader:
+         self.stream.seek(toc_item.offset)
+         data = self.stream.read(toc_item.size)
+ 
+-        with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 
'wb') as img:
+-            img.write(data)
++        if path := self.get_safe_path(output_dir, 
toc_item.name.decode('utf-8')):
++            with open(path, 'wb') as img:
++                img.write(data)
+ 
+     def extract_content(self, output_dir):
+         self.log.debug('Extracting content from file...')
diff -Nru 
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
 
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
--- 
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
    1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch
    2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,31 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:50:19 +0530
+Subject: CVE-2026-33205 (1/2): E-book viewer: prevent reading background
+ images from outside the config dir
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
+Origin: 
https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/gui2/viewer/web_view.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/calibre/gui2/viewer/web_view.py 
b/src/calibre/gui2/viewer/web_view.py
+index d2116bb..e09688c 100644
+--- a/src/calibre/gui2/viewer/web_view.py
++++ b/src/calibre/gui2/viewer/web_view.py
+@@ -106,8 +106,11 @@ def background_image(encoded_fname=''):
+         except FileNotFoundError:
+             return 'image/jpeg', b''
+     fname = bytes.fromhex(encoded_fname).decode()
+-    img_path = os.path.join(viewer_config_dir, 'background-images', fname)
++    base = os.path.abspath(os.path.join(viewer_config_dir, 
'background-images')) + os.sep
++    img_path = os.path.abspath(os.path.join(base, fname))
+     mt = guess_type(fname)[0] or 'image/jpeg'
++    if not img_path.startswith(base):
++        return mt, b''
+     try:
+         with open(make_long_path_useable(img_path), 'rb') as f:
+             return mt, f.read()
diff -Nru 
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
 
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
--- 
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
    1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch
    2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,36 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:58:25 +0530
+Subject: CVE-2026-33205 (2/2): E-book viewer: Disallow background images from
+ the internet. This was an unused feature anyway
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
+Origin: 
https://github.com/kovidgoyal/calibre/commit/b1ef6a8142b8dadeb7e72c250c65d42b36ee7118
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/gui2/viewer/web_view.py | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/src/calibre/gui2/viewer/web_view.py 
b/src/calibre/gui2/viewer/web_view.py
+index e09688c..9c8e237 100644
+--- a/src/calibre/gui2/viewer/web_view.py
++++ b/src/calibre/gui2/viewer/web_view.py
+@@ -115,17 +115,6 @@ def background_image(encoded_fname=''):
+         with open(make_long_path_useable(img_path), 'rb') as f:
+             return mt, f.read()
+     except FileNotFoundError:
+-        if fname.startswith(('https://', 'http://')):
+-            from calibre import browser
+-            br = browser()
+-            try:
+-                with br.open(fname) as src:
+-                    data = src.read()
+-            except Exception:
+-                return mt, b''
+-            with open(make_long_path_useable(img_path), 'wb') as dest:
+-                dest.write(data)
+-            return mt, data
+         return mt, b''
+ 
+ 
diff -Nru 
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
 
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
--- 
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
    1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
    2026-05-24 13:33:35.000000000 +0900
@@ -0,0 +1,27 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:37:16 +0530
+Subject: CVE-2026-33206: TXT Input: Ensure resource files are read only from
+ book contents
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6
+Origin: 
https://github.com/kovidgoyal/calibre/commit/c43f347837dbc00d9a7b5ff15a228b6f6081e290
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/conversion/plugins/txt_input.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/txt_input.py 
b/src/calibre/ebooks/conversion/plugins/txt_input.py
+index d6d43a6..6bc8289 100644
+--- a/src/calibre/ebooks/conversion/plugins/txt_input.py
++++ b/src/calibre/ebooks/conversion/plugins/txt_input.py
+@@ -112,7 +112,7 @@ class TXTInput(InputFormatPlugin):
+             src = img.get('src')
+             prefix = src.split(':', 1)[0].lower()
+             if src and prefix not in ('file', 'http', 'https', 'ftp') and not 
os.path.isabs(src):
+-                src = os.path.join(base_dir, src)
++                src = os.path.abspath(os.path.join(base_dir, src))
+                 if os.path.normcase(src).startswith(base_dir) and 
os.path.isfile(src) and os.access(src, os.R_OK):
+                     with open(src, 'rb') as f:
+                         data = f.read()

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to