Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:calibre User: [email protected] Usertags: pu
[ Reason ] Fix these CVEs. CVE-2026-30853: Path Traversal Leading to Arbitrary File Write CVE-2026-33206: Path traversal allows reading arbitrary files when converting a text-based file [ Impact ] CVEs (max severity: 8.2/10) are unfixed. [ Tests ] Automated build-time test was successful. [ Risks ] Not well tested on bookworm machine. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Add missing comments to previous deb12u7 fix * Fix for CVE-2026-30853 * Fix for CVE-2026-33206 [ Other info ] You can examine this fix from online: https://github.com/debian- calibre/calibre/compare/debian/6.13.0+repack-2+deb12u7...bookworm-update
diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog --- calibre-6.13.0+repack/debian/changelog 2026-05-10 17:03:19.000000000 +0900 +++ calibre-6.13.0+repack/debian/changelog 2026-05-24 14:19:11.000000000 +0900 @@ -1,3 +1,13 @@ +calibre (6.13.0+repack-2+deb12u8) bookworm; urgency=medium + + * Add comment for unused fix + * CVE-2026-30853: RB Input: Ensure files are extracted within container + dir + * CVE-2026-33206: TXT Input: Ensure resource files are read only from + book contents + + -- YOKOTA Hiroshi <[email protected]> Sun, 24 May 2026 14:19:11 +0900 + calibre (6.13.0+repack-2+deb12u7) bookworm; urgency=medium * Fix security vulnerabilities and code quality issues (Closes: #1136161) diff -Nru calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch --- calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch 2026-05-10 17:03:19.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/0044-Fix-security-vulnerabilities-and-code-quality-issues.patch 2026-05-24 14:14:55.000000000 +0900 @@ -9,6 +9,7 @@ High severity: - Fix typo normapth -> normpath in srv/content.py (broken endpoint) + (This fix is not needed for Calibre 6.13.0) - Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py - Log exceptions in FunctionDispatcher.dispatch instead of swallowing diff -Nru calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch --- calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch 2026-05-24 14:14:55.000000000 +0900 @@ -0,0 +1,58 @@ +From: Kovid Goyal <[email protected]> +Date: Fri, 6 Mar 2026 07:39:44 +0530 +Subject: CVE-2026-30853: RB Input: Ensure files are extracted within + container dir + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x +Origin: https://github.com/kovidgoyal/calibre/commit/0f8dc639337d9ace67201e15ca12d5906d05f4c8 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/ebooks/rb/reader.py | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/src/calibre/ebooks/rb/reader.py b/src/calibre/ebooks/rb/reader.py +index 58a5ecb..8eb3b97 100644 +--- a/src/calibre/ebooks/rb/reader.py ++++ b/src/calibre/ebooks/rb/reader.py +@@ -68,6 +68,15 @@ class Reader: + + return toc + ++ def get_safe_path(self, output_dir, name): ++ base = os.path.abspath(output_dir) ++ if not base.endswith(os.sep): ++ base += os.sep ++ ans = os.path.abspath(os.path.join(base, name)) ++ if os.path.commonprefix([ans, base]) != base: ++ ans = '' ++ return ans ++ + def get_text(self, toc_item, output_dir): + if toc_item.flags in (1, 2): + return +@@ -88,8 +97,9 @@ class Reader: + else: + output += self.stream.read(toc_item.size).decode('cp1252' if self.encoding is None else self.encoding, 'replace') + +- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 'wb') as html: +- html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8')) ++ if path := self.get_safe_path(output_dir, toc_item.name.decode('utf-8')): ++ with open(path, 'wb') as html: ++ html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8')) + + def get_image(self, toc_item, output_dir): + if toc_item.flags != 0: +@@ -98,8 +108,9 @@ class Reader: + self.stream.seek(toc_item.offset) + data = self.stream.read(toc_item.size) + +- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 'wb') as img: +- img.write(data) ++ if path := self.get_safe_path(output_dir, toc_item.name.decode('utf-8')): ++ with open(path, 'wb') as img: ++ img.write(data) + + def extract_content(self, output_dir): + self.log.debug('Extracting content from file...') diff -Nru calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch --- calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch 2026-05-24 14:14:55.000000000 +0900 @@ -0,0 +1,27 @@ +From: Kovid Goyal <[email protected]> +Date: Mon, 16 Mar 2026 08:37:16 +0530 +Subject: CVE-2026-33206: TXT Input: Ensure resource files are read only from + book contents + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6 +Origin: https://github.com/kovidgoyal/calibre/commit/c43f347837dbc00d9a7b5ff15a228b6f6081e290 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/ebooks/conversion/plugins/txt_input.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/ebooks/conversion/plugins/txt_input.py b/src/calibre/ebooks/conversion/plugins/txt_input.py +index a28f58e..82cbab7 100644 +--- a/src/calibre/ebooks/conversion/plugins/txt_input.py ++++ b/src/calibre/ebooks/conversion/plugins/txt_input.py +@@ -111,7 +111,7 @@ class TXTInput(InputFormatPlugin): + src = img.get('src') + prefix = src.split(':', 1)[0].lower() + if src and prefix not in ('file', 'http', 'https', 'ftp') and not os.path.isabs(src): +- src = os.path.join(base_dir, src) ++ src = os.path.abspath(os.path.join(base_dir, src)) + if os.path.isfile(src) and os.access(src, os.R_OK): + with open(src, 'rb') as f: + data = f.read() diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series --- calibre-6.13.0+repack/debian/patches/series 2026-05-10 17:03:19.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/series 2026-05-24 14:14:55.000000000 +0900 @@ -42,3 +42,5 @@ 0042-CVE-2026-27810-Content-server-Sanitize-content-dispo.patch 0043-CVE-2026-27824-Content-server-When-banning-IPs-for-r.patch 0044-Fix-security-vulnerabilities-and-code-quality-issues.patch +0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch +0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch
