edubuntu-bugs team mailing list archive
-
edubuntu-bugs team
-
Mailing list archive
-
Message #08146
[Bug 1758703] [NEW] [CVE] Use JSON to prevent malicious bookmark files from causing code execution
Public bug reported:
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on
imported bookmark data, which allows remote attackers to execute
arbitrary code via a crafted .pickle file, as demonstrated by Python
code that contains an os.system call.
** Affects: calibre (Ubuntu)
Importance: High
Status: Fix Released
** Affects: calibre (Ubuntu Artful)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: New
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7889
** Also affects: calibre (Ubuntu Artful)
Importance: Undecided
Status: New
** Changed in: calibre (Ubuntu Artful)
Importance: Undecided => High
** Changed in: calibre (Ubuntu Artful)
Assignee: (unassigned) => Simon Quigley (tsimonq2)
** Changed in: calibre (Ubuntu)
Status: New => Fix Released
** Changed in: calibre (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/1758703
Title:
[CVE] Use JSON to prevent malicious bookmark files from causing code
execution
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/calibre/+bug/1758703/+subscriptions
Follow ups