Package: calibre Version: 2.71.0+dfsg-1 Severity: critical File: /usr/bin/ebook-viewer Tags: security
Hi, Someone pointed me to this note in the 2.75.1 changelog: E-book viewer: Prevent javascript in the book from accessing files on the computer using XMLHttpRequest. The ticket link (#1651728) is dead so I don't have extra details for this. This does seem like a security issue. Considering how little followup is done by upstream on security issues, I suspect this is not properly documented anywhere either. So this is the first step in opening up an investigation about this. The next step is to figure out which versions are affected and the severity of this bug. Someone should also request a CVE at the oss-security mailing list once this is clarified. It seems to me we should review the upstream changelog more thoroughly when a new version is packaged. This way we would have found out about this issue, which probably affect Debian users already. A. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages calibre depends on: ii calibre-bin 2.75.1+dfsg-1 ii fonts-liberation 1:1.07.4-2 ii imagemagick 8:6.9.7.0+dfsg-2 ii imagemagick-6.q16 [imagemagick] 8:6.9.6.6+dfsg-1 ii libjs-mathjax 2.7.0-1 ii poppler-utils 0.48.0-2 ii python-apsw 3.13.0-r1-1 ii python-beautifulsoup 3.2.1-1 ii python-chardet 2.3.0-2 ii python-cherrypy3 3.5.0-2 ii python-cssselect 1.0.0-1 ii python-cssutils 1.0-4.1 ii python-dateutil 2.5.3-2 ii python-dbus 1.2.4-1 ii python-feedparser 5.1.3-3 ii python-imaging 3.4.2-1 ii python-lxml 3.7.1-1 ii python-markdown 2.6.7-1 ii python-mechanize 1:0.2.5-3 ii python-netifaces 0.10.4-0.1+b2 ii python-pil 3.4.2-1 ii python-pkg-resources 32.3.1-1 ii python-pyparsing 2.1.10+dfsg1-1 ii python-pyqt5 5.7+dfsg-4 ii python-pyqt5.qtsvg 5.7+dfsg-4 ii python-pyqt5.qtwebkit 5.7+dfsg-4 ii python-routes 2.3.1-2 ii python2.7 2.7.13-1 ii xdg-utils 1.1.1-1 Versions of packages calibre recommends: ii python-dnspython 1.15.0-1 calibre suggests no packages. -- no debconf information