-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4554-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
April 29, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : calibre
Version : 5.12.0+dfsg-1+deb11u4
CVE ID : CVE-2025-64486 CVE-2026-25635 CVE-2026-25636 CVE-2026-26064
CVE-2026-26065
Multiple vulnerabilities have been discovered in calibre, an e-book
manager
CVE-2025-64486
calibre does not validate filenames when handling binary assets in
FB2 files, allowing an attacker to write arbitrary files on the
filesystem when viewing or converting a malicious FictionBook
file. This can be leveraged to achieve arbitrary code execution.
CVE-2026-25635
Calibre's CHM reader contains a path traversal vulnerability that
allows arbitrary file writes anywhere the user has write
permissions.
CVE-2026-25636
a path traversal vulnerability in Calibre's EPUB conversion allows
a malicious EPUB file to corrupt arbitrary existing files writable
by the Calibre process
CVE-2026-26064
a path traversal vulnerability that allows arbitrary file writes
anywhere the user has write permissions.
CVE-2026-26065
Path Traversal through PDB readers that allow arbitrary file
writes with arbitrary extension and arbitrary content anywhere the
user has write permissions. Files are written in 'wb' mode,
silently overwriting existing files. This can lead to potential
code execution and Denial of Service through file corruption.
For Debian 11 bullseye, these problems have been fixed in version
5.12.0+dfsg-1+deb11u4.
We recommend that you upgrade your calibre packages.
For the detailed security status of calibre please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/calibre
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmnzQakACgkQDTl9HeUl
XjAfZRAAk98qfNhLTYmxwcAYffxZgXVk2iS+ZSLg3B08g9pJI5kah2M9tB6VHQqP
I3GaE6oogHcbLtj2OaaR3uCeMY2sVI2axUvTUy6M52IStzoryli8iyPbliGyrVa/
s2z4aPOL6q6z9EAaBOrH8wDOXzjWUMTG6hBP13ozaEfzwNr9Og9HNn79IrBywoJK
VlLACcEYRtxZaTg0zXD8JqRFjv4ptgEjZpFntBwVRl+UVn42QTPYUVJfVg5z8Ci6
xdQuPlZPuRED1/fntEGYlb97ZFpqk9GjkTvECPbAeNju0iZntoA0sDkoF86aEw1h
B5LOfzlJHFMoiBgA5Ao/TFryu2y3hfUHypBc0cdmqA36/XgBYEtLunepdeJJLnTt
J41xcSqoTDiULL1Qn7XTn6YctPqWXce4O4MvnqsfnJ/fe+jPZOJKIE17sjEW1pA+
dAoaw6r0q+Wf241UO7n+rUCwroHSgns04x9nLeL74nCzZfXNh7p69qHCUwtMvuxg
jyE6rGYxlp/Beu+C9KVEB8GJhU8jpqRcsqntV5q3B4fPGIbAZ04q3zS64Xlb6Ib9
BAsVBiE4nsxRpbdaqmF2mlKG4L36ndDhXRORz977QxUuQK2gy0WkoB7Py+vz7VqA
RD3dElei9Buk7hYaXW/3bgrjSH9hij6m/7jtrWWaEqAbmahFi/8=
=88Mg
-----END PGP SIGNATURE-----
