calibre / CVE-2016-10187

Brian May Tue, 14 Mar 2017 23:44:22 -0700

Here is a diff against the wheezy version. Have tested it against the
exploit at https://bugs.launchpad.net/calibre/+bug/1651728 and it solves
the problem for me.


I have also made this available at:
https://people.debian.org/~bam/debian/pool/main/c/calibre/


diff -Nru calibre-0.8.51+dfsg1/debian/changelog 
calibre-0.8.51+dfsg1/debian/changelog
--- calibre-0.8.51+dfsg1/debian/changelog       2013-01-17 09:53:25.000000000 
+1100
+++ calibre-0.8.51+dfsg1/debian/changelog       2017-03-14 17:36:04.000000000 
+1100
@@ -1,3 +1,11 @@
+calibre (0.8.51+dfsg1-0.1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2016-10187: Ensure javascript cannot read from local files.
+    Closes: 853004.
+
+ -- Brian May <[email protected]>  Tue, 14 Mar 2017 17:36:04 +1100
+
 calibre (0.8.51+dfsg1-0.1) testing-proposed-updates; urgency=low
 
   * Non-maintainer upload.
diff -Nru calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch 
calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch
--- calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch   
1970-01-01 10:00:00.000000000 +1000
+++ calibre-0.8.51+dfsg1/debian/patches/js_no_local_file_access.patch   
2017-03-14 17:35:52.000000000 +1100
@@ -0,0 +1,25 @@
+From 3a89718664cb8cce0449d1758eee585ed0d0433c Mon Sep 17 00:00:00 2001
+From: Kovid Goyal <[email protected]>
+Date: Wed, 21 Dec 2016 17:59:00 +0530
+Subject: [PATCH] E-book viewer: Prevent javascript in the book from accessing
+ files on the computer using XMLHttpRequest. Fixes #1651728 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/1651728)
+
+---
+ src/calibre/gui2/tweak_book/preview.py  | 2 ++
+ src/calibre/gui2/viewer/documentview.py | 3 +--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+Bug: https://launchpad.net/bugs/1651728
+Bug-Debian: https://bugs.debian.org/853004
+
+--- a/src/calibre/gui2/viewer/documentview.py
++++ b/src/calibre/gui2/viewer/documentview.py
+@@ -215,6 +215,7 @@
+         settings.setAttribute(QWebSettings.PluginsEnabled, False)
+         settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
+         settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, 
False)
++        settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, 
False)  # ensure javascript cannot read from local files
+ 
+         # Miscellaneous
+         settings.setAttribute(QWebSettings.LinksIncludedInFocusChain, True)
diff -Nru calibre-0.8.51+dfsg1/debian/patches/series 
calibre-0.8.51+dfsg1/debian/patches/series
--- calibre-0.8.51+dfsg1/debian/patches/series  2012-05-14 20:13:47.000000000 
+1000
+++ calibre-0.8.51+dfsg1/debian/patches/series  2017-03-14 17:29:33.000000000 
+1100
@@ -1,4 +1,5 @@
 # cherrypicked from/accepted into trunk:
+js_no_local_file_access.patch
 
 # sent upstream
 

-- 
Brian May <[email protected]>
https://linuxpenguins.xyz/brian/

calibre / CVE-2016-10187

Reply via email to