Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: cali...@packages.debian.org, yokota.h...@gmail.com, t...@security.debian.org Control: affects -1 + src:calibre User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Fix these CVEs: * CVE-2024-6782 + fixup * CVE-2024-7008 * CVE-2024-7009 [ Impact ] Some security problems are unfixed. * remote-code execution * cross-site scripting * SQL injection [ Tests ] Build and automated build-time tests are passed. [ Risks ] Not fully tested on bookworm. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2024-6782 * Fix CVE-2024-7008 * Fix CVE-2024-7009 * Add fixup for CVE-2024-6782. See also Debian bug 1079277 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277 [ Other info ] You can examine commits from online: > https://github.com/debian-calibre/calibre/tree/bookworm-update
diff --git a/debian/changelog b/debian/changelog index 8985397430..7d465145f0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +calibre (6.13.0+repack-2+deb12u4) bookworm; urgency=medium + + * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131) + (Fix for CVE-2024-7009) + * Fix #2075130 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075130) + (Fix for CVE-2024-7008) + * Fix #2075128 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075128) + (Fix for CVE-2024-6782) + * Fix #2076515 [calibredb list command ignores fields + option](https://bugs.launchpad.net/calibre/+bug/2076515) + Add fixup to CVE-2024-6782 . + See also Debian bug 1079277. + > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277 + + -- YOKOTA Hiroshi <yokota.h...@gmail.com> Thu, 22 Aug 2024 20:41:03 +0900 + calibre (6.13.0+repack-2+deb12u3) bookworm; urgency=medium * HTML Input: Don't add resources that exist outside the folder hierarchy diff --git a/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch new file mode 100644 index 0000000000..ebc9c23760 --- /dev/null +++ b/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch @@ -0,0 +1,73 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:36:39 +0530 +Subject: Fix #2075131 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075131) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7.patch +Forwarded: not-needed +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7009 +--- + src/calibre/db/backend.py | 12 +++++++----- + src/calibre/db/fts/connect.py | 8 +++++--- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/calibre/db/backend.py b/src/calibre/db/backend.py +index 614abdb..8cdaee3 100644 +--- a/src/calibre/db/backend.py ++++ b/src/calibre/db/backend.py +@@ -1917,18 +1917,20 @@ class DB: + fts_engine_query = unicode_normalize(fts_engine_query) + fts_table = 'annotations_fts_stemmed' if use_stemming else 'annotations_fts' + text = 'annotations.searchable_text' ++ data = [] + if highlight_start is not None and highlight_end is not None: + if snippet_size is not None: +- text = 'snippet({fts_table}, 0, "{highlight_start}", "{highlight_end}", "…", {snippet_size})'.format( +- fts_table=fts_table, highlight_start=highlight_start, highlight_end=highlight_end, +- snippet_size=max(1, min(snippet_size, 64))) ++ text = "snippet({fts_table}, 0, ?, ?, '…', {snippet_size})".format( ++ fts_table=fts_table, snippet_size=max(1, min(snippet_size, 64))) + else: +- text = f'highlight({fts_table}, 0, "{highlight_start}", "{highlight_end}")' ++ text = f"highlight({fts_table}, 0, ?, ?)" ++ data.append(highlight_start) ++ data.append(highlight_end) + query = 'SELECT {0}.id, {0}.book, {0}.format, {0}.user_type, {0}.user, {0}.annot_data, {1} FROM {0} ' + query = query.format('annotations', text) + query += ' JOIN {fts_table} ON annotations.id = {fts_table}.rowid'.format(fts_table=fts_table) + query += f' WHERE {fts_table} MATCH ?' +- data = [fts_engine_query] ++ data.append(fts_engine_query) + if restrict_to_user: + query += ' AND annotations.user_type = ? AND annotations.user = ?' + data += list(restrict_to_user) +diff --git a/src/calibre/db/fts/connect.py b/src/calibre/db/fts/connect.py +index 9ea3d5c..c575afb 100644 +--- a/src/calibre/db/fts/connect.py ++++ b/src/calibre/db/fts/connect.py +@@ -156,20 +156,22 @@ class FTS: + return + fts_engine_query = unicode_normalize(fts_engine_query) + fts_table = 'books_fts' + ('_stemmed' if use_stemming else '') ++ data = [] + if return_text: + text = 'books_text.searchable_text' + if highlight_start is not None and highlight_end is not None: + if snippet_size is not None: +- text = f'snippet("{fts_table}", 0, "{highlight_start}", "{highlight_end}", "…", {max(1, min(snippet_size, 64))})' ++ text = f'''snippet("{fts_table}", 0, ?, ?, '…', {max(1, min(snippet_size, 64))})''' + else: +- text = f'highlight("{fts_table}", 0, "{highlight_start}", "{highlight_end}")' ++ text = f'''highlight("{fts_table}", 0, ?, ?)''' ++ data.append(highlight_start) ++ data.append(highlight_end) + text = ', ' + text + else: + text = '' + query = 'SELECT {0}.id, {0}.book, {0}.format {1} FROM {0} '.format('books_text', text) + query += f' JOIN {fts_table} ON fts_db.books_text.id = {fts_table}.rowid' + query += ' WHERE ' +- data = [] + conn = self.get_connection() + temp_table_name = '' + if restrict_to_book_ids: diff --git a/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch new file mode 100644 index 0000000000..9565fc526b --- /dev/null +++ b/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch @@ -0,0 +1,25 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:40:21 +0530 +Subject: Fix #2075130 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075130) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0.patch +Forwarded: not-needed +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7008 +--- + src/calibre/srv/legacy.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py +index fa54504..4c19b68 100644 +--- a/src/calibre/srv/legacy.py ++++ b/src/calibre/srv/legacy.py +@@ -255,7 +255,7 @@ def browse(ctx, rd, rest): + if rest.startswith('book/'): + # implementation of https://bugs.launchpad.net/calibre/+bug/1698411 + # redirect old server book URLs to new URLs +- redirect = ctx.url_for(None) + '#book_id=' + rest[5:] + "&panel=book_details" ++ redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) + "&panel=book_details" + from lxml import etree as ET + return html(ctx, rd, endpoint, + E.html(E.head( diff --git a/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch new file mode 100644 index 0000000000..b21c67e7cd --- /dev/null +++ b/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch @@ -0,0 +1,48 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:51:33 +0530 +Subject: Fix #2075128 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075128) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9.patch +Forwarded: not-needed +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-6782 +--- + src/calibre/db/cli/cmd_list.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/calibre/db/cli/cmd_list.py b/src/calibre/db/cli/cmd_list.py +index 9907b26..65935b5 100644 +--- a/src/calibre/db/cli/cmd_list.py ++++ b/src/calibre/db/cli/cmd_list.py +@@ -36,6 +36,12 @@ def implementation( + db, notify_changes, fields, sort_by, ascending, search_text, limit, template=None + ): + is_remote = notify_changes is not None ++ if is_remote: ++ # templates allow arbitrary code execution via python templates. We ++ # could possibly disallow only python templates but that is more work ++ # than I feel like doing for this, so simply ignore templates on remote ++ # connections. ++ template = None + formatter = None + with db.safe_read_lock: + fm = db.field_metadata +@@ -164,6 +170,8 @@ def do_list( + ): + if sort_by is None: + ascending = True ++ if dbctx.is_remote and (template or template_file or template_title): ++ raise SystemExit(_('The use of templates is disallowed when connecting to remote servers for security reasons')) + if 'template' in (f.strip() for f in fields): + if template_file: + with open(template_file, 'rb') as f: +@@ -334,7 +342,8 @@ List the books available in the calibre database. + parser.add_option( + '--template', + default=None, +- help=_('The template to run if "{}" is in the field list. Default: None').format('template') ++ help=_('The template to run if "{}" is in the field list. Note that templates are ignored while connecting to a calibre server.' ++ ' Default: None').format('template') + ) + parser.add_option( + '--template_file', diff --git a/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch b/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch new file mode 100644 index 0000000000..ac24875991 --- /dev/null +++ b/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch @@ -0,0 +1,25 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Sun, 11 Aug 2024 20:18:29 +0530 +Subject: Fix #2076515 [calibredb list command ignores fields + option](https://bugs.launchpad.net/calibre/+bug/2076515) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/34f7b9eaf4cba97412481f659abe35c3e85eb013.patch +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277 +--- + src/calibre/db/cli/cmd_list.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/db/cli/cmd_list.py b/src/calibre/db/cli/cmd_list.py +index 65935b5..8dcb6e5 100644 +--- a/src/calibre/db/cli/cmd_list.py ++++ b/src/calibre/db/cli/cmd_list.py +@@ -170,7 +170,7 @@ def do_list( + ): + if sort_by is None: + ascending = True +- if dbctx.is_remote and (template or template_file or template_title): ++ if dbctx.is_remote and (template or template_file): + raise SystemExit(_('The use of templates is disallowed when connecting to remote servers for security reasons')) + if 'template' in (f.strip() for f in fields): + if template_file: diff --git a/debian/patches/series b/debian/patches/series index c1beb78279..ce4f65d581 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -29,3 +29,7 @@ 0029-ERROR-Unhandled-exception-when-opening-Settings-Savi.patch 0030-fix-crash-in-Get-Books-when-regenerating-UIC-files-C.patch 0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch +0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch +0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch +0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch +0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch