Source: calibre
Version: 3.4.0+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-CC: t...@security.debian.org
Quack,
Sorry for the bad news, but Calibre embed a very old version of
libmspack to build a plugin: /usr/lib/calibre/calibre/plugins/lzx.so
Unfortunately, this library had a few security issues over time, and
recently:
https://security-tracker.debian.org/tracker/source-package/libmspack
So this means Calibre is affected (all versions is Debian) by these two
security bugs and probably other older ones. The proper solution would
be to use the libmspack library which has been fixed with all the fixes
backported to stable and oldstable.
It is defined in 'setup/extensions.json' but I have no idea how to make
it use the system library so I have no patch to suggest.
Btw it seems 'src/calibre/utils/' contains a lot of borrowed code which
might lead to security problems too, so I would suggest to have a look
and work things out with upstream to at least have build flags to use
system libraries when available.
Regards.
--
Marc Dequènes