Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:calibre User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2025-64486 [ Impact ] This bug can be leveraged to achieve arbitrary code execution. [ Tests ] Build time test was successful. [ Risks ] This bug can be leveraged to achieve arbitrary code execution. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstream fix: https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5 You can examine changes from online: https://github.com/debian- calibre/calibre/compare/debian/6.13.0+repack-2+deb12u4...bookworm-update [ Other info ] Report of this issue by upstream: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog --- calibre-6.13.0+repack/debian/changelog 2024-08-22 20:41:03.000000000 +0900 +++ calibre-6.13.0+repack/debian/changelog 2025-11-09 18:15:24.000000000 +0900 @@ -1,3 +1,9 @@ +calibre (6.13.0+repack-2+deb12u5) bookworm; urgency=medium + + * Fix CVE-2025-64486 + + -- YOKOTA Hiroshi <[email protected]> Sun, 09 Nov 2025 18:15:24 +0900 + calibre (6.13.0+repack-2+deb12u4) bookworm; urgency=medium * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131) diff -Nru calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch --- calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/0036-Fix-CVE-2025-64486.patch 2025-11-09 18:13:16.000000000 +0900 @@ -0,0 +1,23 @@ +From: Kovid Goyal <[email protected]> +Date: Thu, 6 Nov 2025 09:36:53 +0530 +Subject: Fix CVE-2025-64486 + +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g +Origin: https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5 +--- + src/calibre/ebooks/conversion/plugins/fb2_input.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/ebooks/conversion/plugins/fb2_input.py b/src/calibre/ebooks/conversion/plugins/fb2_input.py +index dae3137..a71011b 100644 +--- a/src/calibre/ebooks/conversion/plugins/fb2_input.py ++++ b/src/calibre/ebooks/conversion/plugins/fb2_input.py +@@ -161,7 +161,7 @@ class FB2Input(InputFormatPlugin): + from calibre.ebooks.fb2 import base64_decode + self.binary_map = {} + for elem in doc.xpath('./*'): +- if elem.text and 'binary' in elem.tag and 'id' in elem.attrib: ++ if elem.text and 'binary' in elem.tag and elem.get('id', ''): + ct = elem.get('content-type', '') + fname = elem.attrib['id'] + ext = ct.rpartition('/')[-1].lower() diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series --- calibre-6.13.0+repack/debian/patches/series 2024-08-22 20:41:03.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/series 2025-11-09 18:13:16.000000000 +0900 @@ -33,3 +33,4 @@ 0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch 0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch 0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch +0036-Fix-CVE-2025-64486.patch
