Bug#853004: security: javascript in the book can access files on the computer using XMLHttpRequest?

Sat, 28 Jan 2017 13:00:49 -0800 

Package: calibre
Version: 2.71.0+dfsg-1
Severity: critical
File: /usr/bin/ebook-viewer
Tags: security

Hi,

Someone pointed me to this note in the 2.75.1 changelog:

    E-book viewer: Prevent javascript in the book from accessing files
    on the computer using XMLHttpRequest.

The ticket link (#1651728) is dead so I don't have extra details for
this.

This does seem like a security issue. Considering how little followup
is done by upstream on security issues, I suspect this is not properly
documented anywhere either.

So this is the first step in opening up an investigation about this.

The next step is to figure out which versions are affected and the
severity of this bug.

Someone should also request a CVE at the oss-security mailing list
once this is clarified.

It seems to me we should review the upstream changelog more thoroughly
when a new version is packaged. This way we would have found out about
this issue, which probably affect Debian users already.

A.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages calibre depends on:
ii  calibre-bin                      2.75.1+dfsg-1
ii  fonts-liberation                 1:1.07.4-2
ii  imagemagick                      8:6.9.7.0+dfsg-2
ii  imagemagick-6.q16 [imagemagick]  8:6.9.6.6+dfsg-1
ii  libjs-mathjax                    2.7.0-1
ii  poppler-utils                    0.48.0-2
ii  python-apsw                      3.13.0-r1-1
ii  python-beautifulsoup             3.2.1-1
ii  python-chardet                   2.3.0-2
ii  python-cherrypy3                 3.5.0-2
ii  python-cssselect                 1.0.0-1
ii  python-cssutils                  1.0-4.1
ii  python-dateutil                  2.5.3-2
ii  python-dbus                      1.2.4-1
ii  python-feedparser                5.1.3-3
ii  python-imaging                   3.4.2-1
ii  python-lxml                      3.7.1-1
ii  python-markdown                  2.6.7-1
ii  python-mechanize                 1:0.2.5-3
ii  python-netifaces                 0.10.4-0.1+b2
ii  python-pil                       3.4.2-1
ii  python-pkg-resources             32.3.1-1
ii  python-pyparsing                 2.1.10+dfsg1-1
ii  python-pyqt5                     5.7+dfsg-4
ii  python-pyqt5.qtsvg               5.7+dfsg-4
ii  python-pyqt5.qtwebkit            5.7+dfsg-4
ii  python-routes                    2.3.1-2
ii  python2.7                        2.7.13-1
ii  xdg-utils                        1.1.1-1

Versions of packages calibre recommends:
ii  python-dnspython  1.15.0-1

calibre suggests no packages.

-- no debconf information

Reply via email to