Brian May <> writes:

> Won't this break existing installs by making existing data inaccessible?

Maybe not. If I am reading the code correctly, for bookmarks this only
affects imports/exports. Not the datastore for bookmarks.

Possibly the same for the metadata.db data too, although as far as I can
tell, CVE-2018-7889 doesn't actually cover this vulnerability. Not sure
there is a CVE for this however.

As far as I can tell, the upstream patch for CVE-2018-7889 has changes
that aren't related to the security issue. Or it could be a fix for the
metadata.db issue, but if so I am completely confused because it doesn't
actually appear to touch the vulnerable call to cPickle.
Brian May <>

Reply via email to