Hello Antoine, Antoine Beaupré [2017-01-29 10:48 -0500]: > Next time could you coordinate more closely with the security team?
Point taken, sorry about that. > 3. (optionnally) request a CVE at OSS-security with a CC upstream: > http://oss-security.openwall.org/wiki/mailing-lists/oss-security Mail sent, you were in CC. Kovid (upstream) already made the original bug public, which has a reproducer. > 5. (optionnally) help the security team backporting the patch to stable > and (even more optionnally) to Debian LTS Stretch debdiff with the backported patch attached, this still has some XXXXes for the pending CVE. Martin
diff -Nru calibre-2.5.0+dfsg/debian/changelog calibre-2.5.0+dfsg/debian/changelog --- calibre-2.5.0+dfsg/debian/changelog 2014-10-12 22:43:15.000000000 +0200 +++ calibre-2.5.0+dfsg/debian/changelog 2017-01-29 17:42:15.000000000 +0100 @@ -1,3 +1,11 @@ +calibre (2.5.0+dfsg-1+deb8u1) stable-security; urgency=medium + + * Add js_no_local_file_access.patch: E-book viewer: Prevent javascript in + the book from accessing files on the computer using XMLHttpRequest. + Patch backported from 2.75.1. (CVE-XXXX-XXXX, Closes: #853004) + + -- Martin Pitt <mp...@debian.org> Sun, 29 Jan 2017 17:42:15 +0100 + calibre (2.5.0+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru calibre-2.5.0+dfsg/debian/patches/js_no_local_file_access.patch calibre-2.5.0+dfsg/debian/patches/js_no_local_file_access.patch --- calibre-2.5.0+dfsg/debian/patches/js_no_local_file_access.patch 1970-01-01 01:00:00.000000000 +0100 +++ calibre-2.5.0+dfsg/debian/patches/js_no_local_file_access.patch 2017-01-29 17:42:10.000000000 +0100 @@ -0,0 +1,45 @@ +From 3a89718664cb8cce0449d1758eee585ed0d0433c Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <ko...@kovidgoyal.net> +Date: Wed, 21 Dec 2016 17:59:00 +0530 +Subject: [PATCH] E-book viewer: Prevent javascript in the book from accessing + files on the computer using XMLHttpRequest. Fixes #1651728 [Private + bug](https://bugs.launchpad.net/calibre/+bug/1651728) + +--- + src/calibre/gui2/tweak_book/preview.py | 2 ++ + src/calibre/gui2/viewer/documentview.py | 3 +-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +Bug: https://launchpad.net/bugs/1651728 +Bug-Debian: https://bugs.debian.org/853004 + +Index: calibre-2.5.0+dfsg/src/calibre/gui2/tweak_book/preview.py +=================================================================== +--- calibre-2.5.0+dfsg.orig/src/calibre/gui2/tweak_book/preview.py ++++ calibre-2.5.0+dfsg/src/calibre/gui2/tweak_book/preview.py +@@ -261,6 +261,7 @@ class WebPage(QWebPage): + settings.setAttribute(settings.PrivateBrowsingEnabled, True) + settings.setAttribute(settings.JavascriptCanOpenWindows, False) + settings.setAttribute(settings.JavascriptCanAccessClipboard, False) ++ settings.setAttribute(settings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files + settings.setAttribute(settings.LinksIncludedInFocusChain, False) + settings.setAttribute(settings.DeveloperExtrasEnabled, True) + settings.setDefaultTextEncoding('utf-8') +Index: calibre-2.5.0+dfsg/src/calibre/gui2/viewer/documentview.py +=================================================================== +--- calibre-2.5.0+dfsg.orig/src/calibre/gui2/viewer/documentview.py ++++ calibre-2.5.0+dfsg/src/calibre/gui2/viewer/documentview.py +@@ -109,6 +109,7 @@ class Document(QWebPage): # {{{ + settings.setAttribute(QWebSettings.PluginsEnabled, False) + settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False) + settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False) ++ settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False) # ensure javascript cannot read from local files + + # Miscellaneous + settings.setAttribute(QWebSettings.LinksIncludedInFocusChain, True) +@@ -1315,5 +1316,3 @@ class DocumentView(QWebView): # {{{ + return ret + + # }}} +- +- diff -Nru calibre-2.5.0+dfsg/debian/patches/series calibre-2.5.0+dfsg/debian/patches/series --- calibre-2.5.0+dfsg/debian/patches/series 2014-10-12 22:43:15.000000000 +0200 +++ calibre-2.5.0+dfsg/debian/patches/series 2017-01-29 17:39:08.000000000 +0100 @@ -1,4 +1,5 @@ # cherrypicked from/accepted into trunk: +js_no_local_file_access.patch # sent upstream
signature.asc
Description: PGP signature
