Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1138069,
regarding bookworm-pu: package calibre/6.13.0+repack-2+deb12u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138069
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:calibre
User: [email protected]
Usertags: pu

[ Reason ]
Fix CVE-2026-33205

[ Impact ]
A Server-Side Request Forgery vulnerability is unfixed.

[ Tests ]
Build time automated test was successful.

[ Risks ]
Not well tested on bookworm machine.

Calibre v6.13.0 code is differ from current upstream code, so I rewrite the
patch for v6.13.0. (Big change was happen in v7.6.0)
This means the fix is less reliable than trixie's fix.
Please review more carefully than trixie's CVE-2026-33205 fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Fix CVE-2026-33205

[ Other info ]
* Server-Side Request Forgery in ebook viewer backend
  https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
* E-book viewer: prevent reading background images
https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4
* Examine this fix from online
  https://github.com/debian-
calibre/calibre/compare/debian/6.13.0+repack-2+deb12u8...bookworm-update
diff -Nru calibre-6.13.0+repack/debian/changelog 
calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog      2026-05-24 14:19:11.000000000 
+0900
+++ calibre-6.13.0+repack/debian/changelog      2026-05-27 23:52:50.000000000 
+0900
@@ -1,3 +1,10 @@
+calibre (6.13.0+repack-2+deb12u9) bookworm; urgency=medium
+
+  * CVE-2026-33205: E-book viewer: prevent reading background images from
+    outside the config dir
+
+ -- YOKOTA Hiroshi <[email protected]>  Wed, 27 May 2026 23:52:50 +0900
+
 calibre (6.13.0+repack-2+deb12u8) bookworm; urgency=medium
 
   * Add comment for unused fix
diff -Nru 
calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch
 
calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch
--- 
calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch
        1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch
        2026-05-27 23:52:16.000000000 +0900
@@ -0,0 +1,37 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:50:19 +0530
+Subject: CVE-2026-33205: E-book viewer: prevent reading background images
+ from outside the config dir
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
+Origin: 
https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/gui2/viewer/web_view.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/calibre/gui2/viewer/web_view.py 
b/src/calibre/gui2/viewer/web_view.py
+index fc077f1..0ea687c 100644
+--- a/src/calibre/gui2/viewer/web_view.py
++++ b/src/calibre/gui2/viewer/web_view.py
+@@ -80,13 +80,16 @@ def get_data(name):
+ def background_image():
+     ans = getattr(background_image, 'ans', None)
+     if ans is None:
+-        img_path = os.path.join(viewer_config_dir, 'bg-image.data')
++        base = os.path.abspath(viewer_config_dir) + os.sep
++        img_path = os.path.abspath(os.path.join(base, 'bg-image.data'))
++        if not img_path.startswith(base):
++            return 'image/jpeg', b''
+         if os.path.exists(img_path):
+             with open(img_path, 'rb') as f:
+                 data = f.read()
+                 mt, data = data.split(b'|', 1)
+         else:
+-            ans = b'image/jpeg', b''
++            return 'image/jpeg', b''
+         ans = background_image.ans = mt.decode('utf-8'), data
+     return ans
+ 
diff -Nru calibre-6.13.0+repack/debian/patches/series 
calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series 2026-05-24 14:19:11.000000000 
+0900
+++ calibre-6.13.0+repack/debian/patches/series 2026-05-27 23:52:16.000000000 
+0900
@@ -44,3 +44,4 @@
 0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
 0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
 0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
+0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to