Bug#1120423: marked as done (bookworm-pu: package calibre/6.13.0+repack-2+deb12u5)

Sat, 10 Jan 2026 04:11:29 -0800 

Your message dated Sat, 10 Jan 2026 11:59:45 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1120423,
regarding bookworm-pu: package calibre/6.13.0+repack-2+deb12u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1120423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120423
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:calibre
User: [email protected]
Usertags: pu

[ Reason ]
Fix CVE-2025-64486

[ Impact ]
This bug can be leveraged to achieve arbitrary code execution.

[ Tests ]
Build time test was successful.

[ Risks ]
This bug can be leveraged to achieve arbitrary code execution.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fix:
https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5

You can examine changes from online:
https://github.com/debian-
calibre/calibre/compare/debian/6.13.0+repack-2+deb12u4...bookworm-update

[ Other info ]
Report of this issue by upstream:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g

diff -Nru calibre-6.13.0+repack/debian/changelog 
calibre-6.13.0+repack/debian/changelog
--- calibre-6.13.0+repack/debian/changelog      2024-08-22 20:41:03.000000000 
+0900
+++ calibre-6.13.0+repack/debian/changelog      2025-11-09 18:15:24.000000000 
+0900
@@ -1,3 +1,9 @@
+calibre (6.13.0+repack-2+deb12u5) bookworm; urgency=medium
+
+  * Fix CVE-2025-64486
+
+ -- YOKOTA Hiroshi <[email protected]>  Sun, 09 Nov 2025 18:15:24 +0900
+
 calibre (6.13.0+repack-2+deb12u4) bookworm; urgency=medium
 
   * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131)
diff -Nru calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch 
calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch
--- calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch  
1970-01-01 09:00:00.000000000 +0900
+++ calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch  
2025-11-09 18:13:16.000000000 +0900
@@ -0,0 +1,23 @@
+From: Kovid Goyal <[email protected]>
+Date: Thu, 6 Nov 2025 09:36:53 +0530
+Subject: Fix CVE-2025-64486
+
+Bug: 
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
+Origin: 
https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5
+---
+ src/calibre/ebooks/conversion/plugins/fb2_input.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/ebooks/conversion/plugins/fb2_input.py 
b/src/calibre/ebooks/conversion/plugins/fb2_input.py
+index dae3137..a71011b 100644
+--- a/src/calibre/ebooks/conversion/plugins/fb2_input.py
++++ b/src/calibre/ebooks/conversion/plugins/fb2_input.py
+@@ -161,7 +161,7 @@ class FB2Input(InputFormatPlugin):
+         from calibre.ebooks.fb2 import base64_decode
+         self.binary_map = {}
+         for elem in doc.xpath('./*'):
+-            if elem.text and 'binary' in elem.tag and 'id' in elem.attrib:
++            if elem.text and 'binary' in elem.tag and elem.get('id', ''):
+                 ct = elem.get('content-type', '')
+                 fname = elem.attrib['id']
+                 ext = ct.rpartition('/')[-1].lower()
diff -Nru calibre-6.13.0+repack/debian/patches/series 
calibre-6.13.0+repack/debian/patches/series
--- calibre-6.13.0+repack/debian/patches/series 2024-08-22 20:41:03.000000000 
+0900
+++ calibre-6.13.0+repack/debian/patches/series 2025-11-09 18:13:16.000000000 
+0900
@@ -33,3 +33,4 @@
 0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
 0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
 0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
+0036-Fix-CVE-2025-64486.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as 
part of Debian 12.13.

--- End Message ---

Reply via email to