On Sat, 21 Sep 2019 14:06:28 -0400 Nicholas D Steeves <nstee...@gmail.com> wrote: > Control: tags = confirmed > Control: severity = important > > On Thu, Aug 31, 2017 at 10:07:25AM +0200, Jens Schmidt wrote: > > Package: calibre > > Version: 3.4.0+dfsg-1 > > Severity: normal > > > > Dear Maintainer, > > > > I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some > > generated ebooks are containing typos. The mistakes are located in a so-called > > "news fetching recipe" in Zip archive /usr/share/calibre/builtin_recipes.zip. I > > tried to edit the recipe code but the mistakes remain in ebooks. I wrote an own > > custom recipe, I edited built-in recipe in ZIP archive - nothing helps. As a > > last try I switched off network and had success. That maked me curious, so I > > repeated the procedures with Wireshark logging network traffic. The result: > > > > Calibre completely ignores built-in recipes and loads python scripts from a > > server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using self- > > signed wildcard certificate) > > > > It's a absolute taboo to load scripts in background from an untrusted server > > and execute them on a Linux computer without user permission and without > > informing user. This is a Debian OS not Windows. What if the scripts are > > containing malware or spyware? > > > > Assuming good faith in the upstream, this is still a privacy breach, > so I agree we ought to do something about this. Here is everywhere > the this website is mentioned in the source code for debian/3.48.0+dfsg-1. > > $ ag code.calibre-ebook.com > setup/linux-installer.py > 644: 'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686')) > 666: calibre_version = urlopen('http://code.calibre-ebook.com/latest').read() > > setup/linux-installer.sh > 693: 'https://code.calibre-ebook.com/tarball-info/' + ('x86_64' if is64bit else 'i686')) > 715: calibre_version = urlopen('http://code.calibre-ebook.com/latest').read() > > src/calibre/ebooks/metadata/sources/update.py > 95: 'https://code.calibre-ebook.com/metadata-sources/hashes.json') > 112: raw = get_https_resource_securely('https://code.calibre-ebook.com/metadata-sources/' + name) > > src/calibre/gui2/dialogs/plugin_updater.py > 28:SERVER = 'https://code.calibre-ebook.com/plugins/' > > src/calibre/gui2/store/loader.py > 29:def download_updates(ver_map={}, server='https://code.calibre-ebook.com'): > > src/calibre/gui2/update.py > 24:URL = 'https://code.calibre-ebook.com/latest' > > src/calibre/gui2/icon_theme.py > 48:BASE_URL = 'https://code.calibre-ebook.com/icon-themes/' > > src/calibre/utils/https.py > 217: print(get_https_resource_securely('https://code.calibre-ebook.com/latest')) >
Dear Maintainer, I hope I'm not following up on this bug too soon, but I'm curious as to the status of this bug, as I am a current user of calibre. Are there any changes either upstream or written by yourself to stop this third-party code execution? I was notified of this bug during a routine 'apt-get upgrade' to the most recent backported version of this program. (3.39.1+dfsg-3!bpo9+1) -- /dev/null 4057 0DA0 0983 FFA1 8756 670F 754A 0CB9 A367 275B https://devnull.iamdevnull.info/devnull.gpg
