Control: tags = confirmed Control: severity = important On Thu, Aug 31, 2017 at 10:07:25AM +0200, Jens Schmidt wrote: > Package: calibre > Version: 3.4.0+dfsg-1 > Severity: normal > > Dear Maintainer, > > I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some > generated ebooks are containing typos. The mistakes are located in a so-called > "news fetching recipe" in Zip archive /usr/share/calibre/builtin_recipes.zip. > I > tried to edit the recipe code but the mistakes remain in ebooks. I wrote an > own > custom recipe, I edited built-in recipe in ZIP archive - nothing helps. As a > last try I switched off network and had success. That maked me curious, so I > repeated the procedures with Wireshark logging network traffic. The result: > > Calibre completely ignores built-in recipes and loads python scripts from a > server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using self- > signed wildcard certificate) > > It's a absolute taboo to load scripts in background from an untrusted server > and execute them on a Linux computer without user permission and without > informing user. This is a Debian OS not Windows. What if the scripts are > containing malware or spyware? >
Assuming good faith in the upstream, this is still a privacy breach, so I agree we ought to do something about this. Here is everywhere the this website is mentioned in the source code for debian/3.48.0+dfsg-1. $ ag code.calibre-ebook.com setup/linux-installer.py 644: 'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686')) 666: calibre_version = urlopen('http://code.calibre-ebook.com/latest').read() setup/linux-installer.sh 693: 'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686')) 715: calibre_version = urlopen('http://code.calibre-ebook.com/latest').read() src/calibre/ebooks/metadata/sources/update.py 95: 'https://code.calibre-ebook.com/metadata-sources/hashes.json') 112: raw = get_https_resource_securely('https://code.calibre-ebook.com/metadata-sources/' + name) src/calibre/gui2/dialogs/plugin_updater.py 28:SERVER = 'https://code.calibre-ebook.com/plugins/' src/calibre/gui2/store/loader.py 29:def download_updates(ver_map={}, server='https://code.calibre-ebook.com'): src/calibre/gui2/update.py 24:URL = 'https://code.calibre-ebook.com/latest' src/calibre/gui2/icon_theme.py 48:BASE_URL = 'https://code.calibre-ebook.com/icon-themes/' src/calibre/utils/https.py 217: print(get_https_resource_securely('https://code.calibre-ebook.com/latest')) src/calibre/web/feeds/recipes/collection.py 224: 'https://code.calibre-ebook.com/recipe-compressed/'+urn, headers={'CALIBRE-INSTALL-UUID':prefs['installation_uuid']})) Norbert, do you agree the best thing to do would be to 1. Provide user confirmation dialogue (for consent) 2. Disable access (users would need to use backports to get new recipes) Regards, Nicholas
signature.asc
Description: PGP signature
