edubuntu-bugs team mailing list archive

Thread
Date

[Bug 1758699] Re: [CVE] JavaScript in a book can access local files using XMLHttpRequest

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <tsimonq2@xxxxxxxxxx>
Date: Tue, 27 Mar 2018 00:28:53 -0000
Reply-to: Bug 1758699 <1758699@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marc Deslauriers pointed out to me over IRC that Trusty and Xenial are
also vulnerable to CVE-2018-7889.

So Trusty and Xenial need to receive patches for CVE-2016-10187 and
CVE-2018-7889 while Artful just needs the patch for CVE-2018-7889.

I think it makes sense to mark the separate bug I filed for
CVE-2018-7889 a duplicate of this one.

I'll update my PPA and test with this new information, and I'll report
back.

Thanks!

** Description changed:

- The E-book viewer in calibre before 2.75 allows remote attackers to read
- arbitrary files via a crafted epub file with JavaScript.
+ For CVE-2016-10187:
+ The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with JavaScript.
+
+ For CVE-2018-7889:
+ gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7889

** Also affects: calibre (Ubuntu Artful)
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/1758699

Title:
[CVE] JavaScript in a book can access local files using XMLHttpRequest

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/calibre/+bug/1758699/+subscriptions

References

[Bug 1758699] [NEW] [CVE] JavaScript in a book can access local files using XMLHttpRequest
From: Simon Quigley, 2018-03-25