Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1137465,
regarding bookworm-pu: package calibre/6.13.0+repack-2+deb12u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1137465: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137465
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:calibre
User: [email protected]
Usertags: pu


[ Reason ]
Fix these CVEs.
CVE-2026-30853: Path Traversal Leading to Arbitrary File Write
CVE-2026-33206: Path traversal allows reading arbitrary files when converting a
text-based file

[ Impact ]
CVEs (max severity: 8.2/10) are unfixed.

[ Tests ]
Automated build-time test was successful.

[ Risks ]
Not well tested on bookworm machine.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Add missing comments to previous deb12u7 fix
* Fix for CVE-2026-30853
* Fix for CVE-2026-33206

[ Other info ]
You can examine this fix from online:
https://github.com/debian-
calibre/calibre/compare/debian/6.13.0+repack-2+deb12u7...bookworm-update
diff -Nru calibre-6.13.0+repack/debian/changelog 
calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog      2026-05-10 17:03:19.000000000 
+0900
+++ calibre-6.13.0+repack/debian/changelog      2026-05-24 14:19:11.000000000 
+0900
@@ -1,3 +1,13 @@
+calibre (6.13.0+repack-2+deb12u8) bookworm; urgency=medium
+
+  * Add comment for unused fix
+  * CVE-2026-30853: RB Input: Ensure files are extracted within container
+    dir
+  * CVE-2026-33206: TXT Input: Ensure resource files are read only from
+    book contents
+
+ -- YOKOTA Hiroshi <[email protected]>  Sun, 24 May 2026 14:19:11 +0900
+
 calibre (6.13.0+repack-2+deb12u7) bookworm; urgency=medium
 
   * Fix security vulnerabilities and code quality issues (Closes: #1136161)
diff -Nru 
calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
 
calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
--- 
calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
        2026-05-10 17:03:19.000000000 +0900
+++ 
calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
        2026-05-24 14:14:55.000000000 +0900
@@ -9,6 +9,7 @@
 
 High severity:
 - Fix typo normapth -> normpath in srv/content.py (broken endpoint)
+  (This fix is not needed for Calibre 6.13.0)
 - Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
 - Log exceptions in FunctionDispatcher.dispatch instead of swallowing
 
diff -Nru 
calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
 
calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
--- 
calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
        1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
        2026-05-24 14:14:55.000000000 +0900
@@ -0,0 +1,58 @@
+From: Kovid Goyal <[email protected]>
+Date: Fri, 6 Mar 2026 07:39:44 +0530
+Subject: CVE-2026-30853: RB Input: Ensure files are extracted within
+ container dir
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
+Origin: 
https://github.com/kovidgoyal/calibre/commit/0f8dc639337d9ace67201e15ca12d5906d05f4c8
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/rb/reader.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/calibre/ebooks/rb/reader.py b/src/calibre/ebooks/rb/reader.py
+index 58a5ecb..8eb3b97 100644
+--- a/src/calibre/ebooks/rb/reader.py
++++ b/src/calibre/ebooks/rb/reader.py
+@@ -68,6 +68,15 @@ class Reader:
+ 
+         return toc
+ 
++    def get_safe_path(self, output_dir, name):
++        base = os.path.abspath(output_dir)
++        if not base.endswith(os.sep):
++            base += os.sep
++        ans = os.path.abspath(os.path.join(base, name))
++        if os.path.commonprefix([ans, base]) != base:
++            ans = ''
++        return ans
++
+     def get_text(self, toc_item, output_dir):
+         if toc_item.flags in (1, 2):
+             return
+@@ -88,8 +97,9 @@ class Reader:
+         else:
+             output += self.stream.read(toc_item.size).decode('cp1252' if 
self.encoding is None else self.encoding, 'replace')
+ 
+-        with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 
'wb') as html:
+-            html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8'))
++        if path := self.get_safe_path(output_dir, 
toc_item.name.decode('utf-8')):
++            with open(path, 'wb') as html:
++                html.write(output.replace('<TITLE>', '<TITLE> 
').encode('utf-8'))
+ 
+     def get_image(self, toc_item, output_dir):
+         if toc_item.flags != 0:
+@@ -98,8 +108,9 @@ class Reader:
+         self.stream.seek(toc_item.offset)
+         data = self.stream.read(toc_item.size)
+ 
+-        with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 
'wb') as img:
+-            img.write(data)
++        if path := self.get_safe_path(output_dir, 
toc_item.name.decode('utf-8')):
++            with open(path, 'wb') as img:
++                img.write(data)
+ 
+     def extract_content(self, output_dir):
+         self.log.debug('Extracting content from file...')
diff -Nru 
calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
 
calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
--- 
calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
        1970-01-01 09:00:00.000000000 +0900
+++ 
calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
        2026-05-24 14:14:55.000000000 +0900
@@ -0,0 +1,27 @@
+From: Kovid Goyal <[email protected]>
+Date: Mon, 16 Mar 2026 08:37:16 +0530
+Subject: CVE-2026-33206: TXT Input: Ensure resource files are read only from
+ book contents
+
+Forwarded: not-needed
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6
+Origin: 
https://github.com/kovidgoyal/calibre/commit/c43f347837dbc00d9a7b5ff15a228b6f6081e290
+
+Signed-off-by: YOKOTA Hiroshi <[email protected]>
+---
+ src/calibre/ebooks/conversion/plugins/txt_input.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/txt_input.py 
b/src/calibre/ebooks/conversion/plugins/txt_input.py
+index a28f58e..82cbab7 100644
+--- a/src/calibre/ebooks/conversion/plugins/txt_input.py
++++ b/src/calibre/ebooks/conversion/plugins/txt_input.py
+@@ -111,7 +111,7 @@ class TXTInput(InputFormatPlugin):
+             src = img.get('src')
+             prefix = src.split(':', 1)[0].lower()
+             if src and prefix not in ('file', 'http', 'https', 'ftp') and not 
os.path.isabs(src):
+-                src = os.path.join(base_dir, src)
++                src = os.path.abspath(os.path.join(base_dir, src))
+                 if os.path.isfile(src) and os.access(src, os.R_OK):
+                     with open(src, 'rb') as f:
+                         data = f.read()
diff -Nru calibre-6.13.0+repack/debian/patches/series 
calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series 2026-05-10 17:03:19.000000000 
+0900
+++ calibre-6.13.0+repack/debian/patches/series 2026-05-24 14:14:55.000000000 
+0900
@@ -42,3 +42,5 @@
 0042-CVE-2026-27810-Content-server-Sanitize-content-dispo.patch
 0043-CVE-2026-27824-Content-server-When-banning-IPs-for-r.patch
 0044-Fix-security-vulnerabilities-and-code-quality-issues.patch
+0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch
+0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to