← Back to team overview

edubuntu-bugs team mailing list archive

[Bug 1758699] Re: [CVE] JavaScript in a book can access local files using XMLHttpRequest

 

I have reached a point where I would like some guidance as to the
contents of the patch for the CVE-2018-7889 Trusty backport.

So, this is the line in src/calibre/gui2/viewer/bookmarkmanager.py that
has been patched upstream for this:

     def item_to_bm(self, item):
-        return cPickle.loads(bytes(item.data(Qt.UserRole)))
+        return item.data(Qt.UserRole).copy()

(
https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
)

Here is my attempt to backport it:

     def item_to_bm(self, item):
-        return cPickle.loads(bytes(item.data(Qt.UserRole).toPyObject()))
+        return item.data(Qt.UserRole).copy()

This errors out on runtime with this error: "AttributeError: 'QVariant'
object has no attribute 'copy'"

I tried changing "return item.data(Qt.UserRole).copy()" to "return
item.data(Qt.UserRole).toPyObject().copy()" but I'm thrown "TypeError:
key PyQt4.QtCore.QString(u'pos') is not a string"

I expect that there are somewhat significant codebase differences due to
the fact that Trusty is based off of PyQt4 while Bionic is based off of
PyQt5, but I am a bit stumped at why this error would be thrown.

I've subscribed Marc directly because I have worked with him on this
(briefly, via IRC), and I'm a bit out of time at the moment (18.04 is
near) to be researching old PyQt4 syntax, but if I'm missing something
obvious, please yell.

Thanks.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/1758699

Title:
  [CVE] JavaScript in a book can access local files using XMLHttpRequest

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/calibre/+bug/1758699/+subscriptions


References