[Git][security-tracker-team/security-tracker][master] Mark calibre CVE-2018-7889 in wheezy

Mon, 07 May 2018 00:10:32 -0700 

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ef2f8d10 by Brian May at 2018-05-07T17:09:04+10:00
Mark calibre CVE-2018-7889 in wheezy

There is no known fix for this, and a true fix is not possible
without changing the configuration file formats not to allow
executable code.

See:
* https://lists.debian.org/debian-lts/2018/04/msg00098.html
* https://lists.debian.org/debian-lts/2018/05/msg00009.html

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -6829,6 +6829,7 @@ CVE-2018-7890 (A remote code execution issue was 
discovered in Zoho ManageEngine
        NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls 
cPickle.load on ...)
        - calibre 3.19.0+dfsg-1 (bug #892242)
+       [wheezy] - calibre <no-dsa> (Minor issue)
        NOTE: https://bugs.launchpad.net/calibre/+bug/1753870
        NOTE: deserialization fix 
https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
        NOTE: insufficient as import also loads configuration files, which are 
python executables,


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,10 +12,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 --
 apache2 (Roberto C. Sánchez)
 --
-calibre (Brian May)
-  NOTE: 20180321: Instead of replacing pickle with json, maybe disable 
bookmarking (apo)
-  NOTE: 20180321: completely and invest the time to fix the Jessie version 
instead? (apo)
---
 cups (Thorsten Alteholz)
   NOTE: 20180318: not clear whether patch is fine, so no email to maintainer 
sent (alteholz)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to