This bug was fixed in the package calibre - 3.7.0+dfsg-2ubuntu0.1
---------------
calibre (3.7.0+dfsg-2ubuntu0.1) artful-security; urgency=medium
* SECURITY UPDATE: Malicious code execution when using CPickle instead of
JSON (LP: #1758699).
- fix-CVE-2018-7889.patch
- CVE-2018-7889
-- Simon Quigley <[email protected]> Thu, 12 Apr 2018 00:02:07 -0500
** Changed in: calibre (Ubuntu Artful)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1758699
Title:
[CVE] JavaScript in a book can access local files using XMLHttpRequest
Status in calibre package in Ubuntu:
Fix Released
Status in calibre source package in Trusty:
Confirmed
Status in calibre source package in Xenial:
Fix Released
Status in calibre source package in Artful:
Fix Released
Bug description:
For CVE-2016-10187:
The E-book viewer in calibre before 2.75 allows remote attackers to read
arbitrary files via a crafted epub file with JavaScript.
For CVE-2018-7889:
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported
bookmark data, which allows remote attackers to execute arbitrary code via a
crafted .pickle file, as demonstrated by Python code that contains an os.system
call.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/calibre/+bug/1758699/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : [email protected]
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
