This bug was fixed in the package calibre - 1.25.0+dfsg-1ubuntu1.2
---
calibre (1.25.0+dfsg-1ubuntu1.2) trusty-security; urgency=medium
* SECURITY UPDATE: JavaScript in a book can access local files using
XMLHttpRequest (LP: #1758699).
- fix-CVE-2016-10187.patch
-
Here is the last patch for Trusty:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-
builds/+sourcepub/8982687/+listing-archive-extra
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug was fixed in the package calibre - 3.7.0+dfsg-2ubuntu0.1
---
calibre (3.7.0+dfsg-2ubuntu0.1) artful-security; urgency=medium
* SECURITY UPDATE: Malicious code execution when using CPickle instead of
JSON (LP: #1758699).
- fix-CVE-2018-7889.patch
- CVE-2018-7889
This bug was fixed in the package calibre - 2.55.0+dfsg-1ubuntu0.2
---
calibre (2.55.0+dfsg-1ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: JavaScript in a book can access local files using
XMLHttpRequest (LP: #1758699).
- fix-CVE-2016-10187.patch
-
In the meantime, I have updated my PPA with working fixes (I tested each
in a fresh VM; they work as intended and fix the security issue) for
Xenial and Artful.
Security Team, feel free to copy my packages to your PPA:
I have reached a point where I would like some guidance as to the
contents of the patch for the CVE-2018-7889 Trusty backport.
So, this is the line in src/calibre/gui2/viewer/bookmarkmanager.py that
has been patched upstream for this:
def item_to_bm(self, item):
-return
No candidate patches, yet.
** Changed in: calibre (Ubuntu Trusty)
Status: In Progress => Confirmed
** Changed in: calibre (Ubuntu Xenial)
Status: In Progress => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: calibre (Ubuntu Artful)
Status: New => Confirmed
** Changed in: calibre (Ubuntu Artful)
Importance: Undecided => Medium
** Changed in: calibre (Ubuntu Artful)
Assignee: (unassigned) => Simon Quigley (tsimonq2)
--
You received this bug notification because you are
Marc Deslauriers pointed out to me over IRC that Trusty and Xenial are
also vulnerable to CVE-2018-7889.
So Trusty and Xenial need to receive patches for CVE-2016-10187 and
CVE-2018-7889 while Artful just needs the patch for CVE-2018-7889.
I think it makes sense to mark the separate bug I filed
I have uploaded these fixes (for Xenial and Trusty) to a fresh test PPA
of mine with all architectures switched on and only the security repo
enabled. I then tested both in VMs of each release, and they work as
intended. It also fixes the security issue.
Security Team, feel free to copy my
10 matches
Mail list logo