Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:calibre User: [email protected] Usertags: pu
[ Reason ] Fix these CVEs. CVE-2026-30853: Path Traversal Leading to Arbitrary File Write CVE-2026-33205: Server-Side Request Forgery in ebook viewer backend CVE-2026-33206: Path traversal allows reading arbitrary files when converting a text-based file [ Impact ] CVEs (max severity: 8.2/10) are unfixed. [ Tests ] Automated build-time test was successful. [ Risks ] Not well tested on trixie machine. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix for CVE-2026-30853 * Fix for CVE-2026-33205 * Fix for CVE-2026-33206 [ Other info ] deb13u3 fix is not confirmed by release team yet. So, please confirm deb13u3 fix first. > trixie-pu: package calibre/8.5.0+ds-1+deb13u3 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136055 You can examine this fix from online: https://github.com/debian- calibre/calibre/compare/15e9d5649d1ff27e8bbd033309546080c0b8797c...debian/trixie
diff -Nru calibre-8.5.0+ds/debian/changelog calibre-8.5.0+ds/debian/changelog --- calibre-8.5.0+ds/debian/changelog 2026-05-10 17:09:13.000000000 +0900 +++ calibre-8.5.0+ds/debian/changelog 2026-05-24 13:42:03.000000000 +0900 @@ -1,3 +1,16 @@ +calibre (8.5.0+ds-1+deb13u4) trixie; urgency=medium + + * CVE-2026-30853: RB Input: Ensure files are extracted within container + dir + * CVE-2026-33205 (1/2): E-book viewer: prevent reading background images + from outside the config dir + * CVE-2026-33205 (2/2): E-book viewer: Disallow background images from + the internet. This was an unused feature anyway + * CVE-2026-33206: TXT Input: Ensure resource files are read only from + book contents + + -- YOKOTA Hiroshi <[email protected]> Sun, 24 May 2026 13:42:03 +0900 + calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium * Fix security vulnerabilities and code quality issues (Closes: #1135543) diff -Nru calibre-8.5.0+ds/debian/patches/series calibre-8.5.0+ds/debian/patches/series --- calibre-8.5.0+ds/debian/patches/series 2026-05-10 17:09:13.000000000 +0900 +++ calibre-8.5.0+ds/debian/patches/series 2026-05-24 13:33:35.000000000 +0900 @@ -88,3 +88,7 @@ upstream/0088-CVE-2026-27810-Content-server-Sanitize-content-dispo.patch upstream/0089-CVE-2026-27824-Content-server-When-banning-IPs-for-r.patch upstream/0090-Fix-security-vulnerabilities-and-code-quality-issues.patch +upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch +upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch +upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch +upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch diff -Nru calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch --- calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-8.5.0+ds/debian/patches/upstream/0091-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch 2026-05-24 13:33:35.000000000 +0900 @@ -0,0 +1,58 @@ +From: Kovid Goyal <[email protected]> +Date: Fri, 6 Mar 2026 07:39:44 +0530 +Subject: CVE-2026-30853: RB Input: Ensure files are extracted within + container dir + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x +Origin: https://github.com/kovidgoyal/calibre/commit/0f8dc639337d9ace67201e15ca12d5906d05f4c8 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/ebooks/rb/reader.py | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/src/calibre/ebooks/rb/reader.py b/src/calibre/ebooks/rb/reader.py +index c1f77dd..b13066a 100644 +--- a/src/calibre/ebooks/rb/reader.py ++++ b/src/calibre/ebooks/rb/reader.py +@@ -67,6 +67,15 @@ class Reader: + + return toc + ++ def get_safe_path(self, output_dir, name): ++ base = os.path.abspath(output_dir) ++ if not base.endswith(os.sep): ++ base += os.sep ++ ans = os.path.abspath(os.path.join(base, name)) ++ if os.path.commonprefix([ans, base]) != base: ++ ans = '' ++ return ans ++ + def get_text(self, toc_item, output_dir): + if toc_item.flags in (1, 2): + return +@@ -87,8 +96,9 @@ class Reader: + else: + output += self.stream.read(toc_item.size).decode('cp1252' if self.encoding is None else self.encoding, 'replace') + +- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 'wb') as html: +- html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8')) ++ if path := self.get_safe_path(output_dir, toc_item.name.decode('utf-8')): ++ with open(path, 'wb') as html: ++ html.write(output.replace('<TITLE>', '<TITLE> ').encode('utf-8')) + + def get_image(self, toc_item, output_dir): + if toc_item.flags != 0: +@@ -97,8 +107,9 @@ class Reader: + self.stream.seek(toc_item.offset) + data = self.stream.read(toc_item.size) + +- with open(os.path.join(output_dir, toc_item.name.decode('utf-8')), 'wb') as img: +- img.write(data) ++ if path := self.get_safe_path(output_dir, toc_item.name.decode('utf-8')): ++ with open(path, 'wb') as img: ++ img.write(data) + + def extract_content(self, output_dir): + self.log.debug('Extracting content from file...') diff -Nru calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch --- calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-8.5.0+ds/debian/patches/upstream/0092-CVE-2026-33205-1-2-E-book-viewer-prevent-reading-bac.patch 2026-05-24 13:33:35.000000000 +0900 @@ -0,0 +1,31 @@ +From: Kovid Goyal <[email protected]> +Date: Mon, 16 Mar 2026 08:50:19 +0530 +Subject: CVE-2026-33205 (1/2): E-book viewer: prevent reading background + images from outside the config dir + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v +Origin: https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/gui2/viewer/web_view.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/calibre/gui2/viewer/web_view.py b/src/calibre/gui2/viewer/web_view.py +index d2116bb..e09688c 100644 +--- a/src/calibre/gui2/viewer/web_view.py ++++ b/src/calibre/gui2/viewer/web_view.py +@@ -106,8 +106,11 @@ def background_image(encoded_fname=''): + except FileNotFoundError: + return 'image/jpeg', b'' + fname = bytes.fromhex(encoded_fname).decode() +- img_path = os.path.join(viewer_config_dir, 'background-images', fname) ++ base = os.path.abspath(os.path.join(viewer_config_dir, 'background-images')) + os.sep ++ img_path = os.path.abspath(os.path.join(base, fname)) + mt = guess_type(fname)[0] or 'image/jpeg' ++ if not img_path.startswith(base): ++ return mt, b'' + try: + with open(make_long_path_useable(img_path), 'rb') as f: + return mt, f.read() diff -Nru calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch --- calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-8.5.0+ds/debian/patches/upstream/0093-CVE-2026-33205-2-2-E-book-viewer-Disallow-background.patch 2026-05-24 13:33:35.000000000 +0900 @@ -0,0 +1,36 @@ +From: Kovid Goyal <[email protected]> +Date: Mon, 16 Mar 2026 08:58:25 +0530 +Subject: CVE-2026-33205 (2/2): E-book viewer: Disallow background images from + the internet. This was an unused feature anyway + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v +Origin: https://github.com/kovidgoyal/calibre/commit/b1ef6a8142b8dadeb7e72c250c65d42b36ee7118 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/gui2/viewer/web_view.py | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/src/calibre/gui2/viewer/web_view.py b/src/calibre/gui2/viewer/web_view.py +index e09688c..9c8e237 100644 +--- a/src/calibre/gui2/viewer/web_view.py ++++ b/src/calibre/gui2/viewer/web_view.py +@@ -115,17 +115,6 @@ def background_image(encoded_fname=''): + with open(make_long_path_useable(img_path), 'rb') as f: + return mt, f.read() + except FileNotFoundError: +- if fname.startswith(('https://', 'http://')): +- from calibre import browser +- br = browser() +- try: +- with br.open(fname) as src: +- data = src.read() +- except Exception: +- return mt, b'' +- with open(make_long_path_useable(img_path), 'wb') as dest: +- dest.write(data) +- return mt, data + return mt, b'' + + diff -Nru calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch --- calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-8.5.0+ds/debian/patches/upstream/0094-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch 2026-05-24 13:33:35.000000000 +0900 @@ -0,0 +1,27 @@ +From: Kovid Goyal <[email protected]> +Date: Mon, 16 Mar 2026 08:37:16 +0530 +Subject: CVE-2026-33206: TXT Input: Ensure resource files are read only from + book contents + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6 +Origin: https://github.com/kovidgoyal/calibre/commit/c43f347837dbc00d9a7b5ff15a228b6f6081e290 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/ebooks/conversion/plugins/txt_input.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/ebooks/conversion/plugins/txt_input.py b/src/calibre/ebooks/conversion/plugins/txt_input.py +index d6d43a6..6bc8289 100644 +--- a/src/calibre/ebooks/conversion/plugins/txt_input.py ++++ b/src/calibre/ebooks/conversion/plugins/txt_input.py +@@ -112,7 +112,7 @@ class TXTInput(InputFormatPlugin): + src = img.get('src') + prefix = src.split(':', 1)[0].lower() + if src and prefix not in ('file', 'http', 'https', 'ftp') and not os.path.isabs(src): +- src = os.path.join(base_dir, src) ++ src = os.path.abspath(os.path.join(base_dir, src)) + if os.path.normcase(src).startswith(base_dir) and os.path.isfile(src) and os.access(src, os.R_OK): + with open(src, 'rb') as f: + data = f.read()
