Package: release.debian.org Severity: normal Tags: bullseye, security X-Debbugs-Cc: cali...@packages.debian.org, t...@security.debian.org, yokota.h...@gmail.com Control: affects -1 + src:calibre User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Fix these CVEs: * CVE-2024-7008 * CVE-2024-7009 [ Impact ] Some security problems are unfixed. * cross-site scripting * SQL injection [ Tests ] Build and automated build-time tests were succeeded. [ Risks ] Not fully tested on bullseye. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2024-7008 * Fix CVE-2024-7009 [ Other info ] You can examine commits from online: > https://github.com/debian-calibre/calibre/tree/bullseye-update
diff --git a/debian/changelog b/debian/changelog index 33068fc40c..a7a13add8a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +calibre (5.12.0+dfsg-1+deb11u2) bullseye; urgency=medium + + * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131) + (Fix for CVE-2024-7009) + * Fix #2075130 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075130) + (Fix for CVE-2024-7008) + + -- YOKOTA Hiroshi <yokota.h...@gmail.com> Sun, 25 Aug 2024 13:32:32 +0900 + calibre (5.12.0+dfsg-1+deb11u1) bullseye; urgency=medium * Avoid to use embedded assignment syntax (Closes: #998744) diff --git a/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch new file mode 100644 index 0000000000..5c4a925777 --- /dev/null +++ b/debian/patches/0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch @@ -0,0 +1,42 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:36:39 +0530 +Subject: Fix #2075131 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075131) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7.patch +Forwarded: not-needed +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7009 +--- + src/calibre/db/backend.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/calibre/db/backend.py b/src/calibre/db/backend.py +index 55526b7..bae5b35 100644 +--- a/src/calibre/db/backend.py ++++ b/src/calibre/db/backend.py +@@ -1803,18 +1803,20 @@ class DB(object): + ): + fts_table = 'annotations_fts_stemmed' if use_stemming else 'annotations_fts' + text = 'annotations.searchable_text' ++ data = [] + if highlight_start is not None and highlight_end is not None: + if snippet_size is not None: +- text = 'snippet({fts_table}, 0, "{highlight_start}", "{highlight_end}", "…", {snippet_size})'.format( +- fts_table=fts_table, highlight_start=highlight_start, highlight_end=highlight_end, +- snippet_size=max(1, min(snippet_size, 64))) ++ text = "snippet({fts_table}, 0, ?, ?, '…', {snippet_size})".format( ++ fts_table=fts_table, snippet_size=max(1, min(snippet_size, 64))) + else: +- text = 'highlight({}, 0, "{}", "{}")'.format(fts_table, highlight_start, highlight_end) ++ text = f"highlight({fts_table}, 0, ?, ?)" ++ data.append(highlight_start) ++ data.append(highlight_end) + query = 'SELECT {0}.id, {0}.book, {0}.format, {0}.user_type, {0}.user, {0}.annot_data, {1} FROM {0} ' + query = query.format('annotations', text) + query += ' JOIN {fts_table} ON annotations.id = {fts_table}.rowid'.format(fts_table=fts_table) + query += ' WHERE {fts_table} MATCH ?'.format(fts_table=fts_table) +- data = [fts_engine_query] ++ data.append(fts_engine_query) + if restrict_to_user: + query += ' AND annotations.user_type = ? AND annotations.user = ?' + data += list(restrict_to_user) diff --git a/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch b/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch new file mode 100644 index 0000000000..060fe0b9b4 --- /dev/null +++ b/debian/patches/0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch @@ -0,0 +1,25 @@ +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:40:21 +0530 +Subject: Fix #2075130 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075130) + +Origin: backport, https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0.patch +Forwarded: not-needed +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7008 +--- + src/calibre/srv/legacy.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py +index c3a782e..e8722f0 100644 +--- a/src/calibre/srv/legacy.py ++++ b/src/calibre/srv/legacy.py +@@ -256,7 +256,7 @@ def browse(ctx, rd, rest): + if rest.startswith('book/'): + # implementation of https://bugs.launchpad.net/calibre/+bug/1698411 + # redirect old server book URLs to new URLs +- redirect = ctx.url_for(None) + '#book_id=' + rest[5:] + "&panel=book_details" ++ redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) + "&panel=book_details" + from lxml import etree as ET + return html(ctx, rd, endpoint, + E.html(E.head( diff --git a/debian/patches/series b/debian/patches/series index a5a2fd7599..3d09f2b3ed 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,5 @@ 0009-dont-use-python-crypto.patch 0010-Restore-chardet-module-support.patch 0011-Avoid-to-use-embedded-assignment-syntax-Closes-99874.patch +0012-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch +0013-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
