Brian May <b...@debian.org> writes: > Won't this break existing installs by making existing data inaccessible?
Maybe not. If I am reading the code correctly, for bookmarks this only affects imports/exports. Not the datastore for bookmarks. Possibly the same for the metadata.db data too, although as far as I can tell, CVE-2018-7889 doesn't actually cover this vulnerability. Not sure there is a CVE for this however. As far as I can tell, the upstream patch for CVE-2018-7889 has changes that aren't related to the security issue. Or it could be a fix for the metadata.db issue, but if so I am completely confused because it doesn't actually appear to touch the vulnerable call to cPickle. https://bugs.launchpad.net/calibre/+bug/1753870 https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d -- Brian May <b...@debian.org>
