[Git][security-tracker-team/security-tracker][master] Mark calibre CVE-2018-7889 in wheezy
Brian May
bam at debian.org
Mon May 7 08:09:50 BST 2018
Brian May pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ef2f8d10 by Brian May at 2018-05-07T17:09:04+10:00
Mark calibre CVE-2018-7889 in wheezy
There is no known fix for this, and a true fix is not possible
without changing the configuration file formats not to allow
executable code.
See:
* https://lists.debian.org/debian-lts/2018/04/msg00098.html
* https://lists.debian.org/debian-lts/2018/05/msg00009.html
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -6829,6 +6829,7 @@ CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on ...)
- calibre 3.19.0+dfsg-1 (bug #892242)
+ [wheezy] - calibre <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/calibre/+bug/1753870
NOTE: deserialization fix https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
NOTE: insufficient as import also loads configuration files, which are python executables,
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
apache2 (Roberto C. Sánchez)
--
-calibre (Brian May)
- NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo)
- NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo)
---
cups (Thorsten Alteholz)
NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180507/6e53cc17/attachment.html>
More information about the debian-security-tracker-commits
mailing list