--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: cali...@packages.debian.org, yokota.h...@gmail.com,
t...@security.debian.org
Control: affects -1 + src:calibre
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Fix these CVEs:
* CVE-2024-6782 + fixup
* CVE-2024-7008
* CVE-2024-7009
[ Impact ]
Some security problems are unfixed.
* remote-code execution
* cross-site scripting
* SQL injection
[ Tests ]
Build and automated build-time tests are passed.
[ Risks ]
Not fully tested on bookworm.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2024-6782
* Fix CVE-2024-7008
* Fix CVE-2024-7009
* Add fixup for CVE-2024-6782. See also Debian bug 1079277
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277
[ Other info ]
You can examine commits from online:
> https://github.com/debian-calibre/calibre/tree/bookworm-update
diff --git a/debian/changelog b/debian/changelog
index 8985397430..7d465145f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+calibre (6.13.0+repack-2+deb12u4) bookworm; urgency=medium
+
+ * Fix #2075131 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075131)
+ (Fix for CVE-2024-7009)
+ * Fix #2075130 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075130)
+ (Fix for CVE-2024-7008)
+ * Fix #2075128 [Private bug](https://bugs.launchpad.net/calibre/+bug/2075128)
+ (Fix for CVE-2024-6782)
+ * Fix #2076515 [calibredb list command ignores fields
+ option](https://bugs.launchpad.net/calibre/+bug/2076515)
+ Add fixup to CVE-2024-6782 .
+ See also Debian bug 1079277.
+ > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277
+
+ -- YOKOTA Hiroshi <yokota.h...@gmail.com> Thu, 22 Aug 2024 20:41:03 +0900
+
calibre (6.13.0+repack-2+deb12u3) bookworm; urgency=medium
* HTML Input: Don't add resources that exist outside the folder hierarchy
diff --git
a/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
b/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
new file mode 100644
index 0000000000..ebc9c23760
--- /dev/null
+++
b/debian/patches/0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
@@ -0,0 +1,73 @@
+From: Kovid Goyal <ko...@kovidgoyal.net>
+Date: Tue, 30 Jul 2024 13:36:39 +0530
+Subject: Fix #2075131 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/2075131)
+
+Origin: backport,
https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7009
+---
+ src/calibre/db/backend.py | 12 +++++++-----
+ src/calibre/db/fts/connect.py | 8 +++++---
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/calibre/db/backend.py b/src/calibre/db/backend.py
+index 614abdb..8cdaee3 100644
+--- a/src/calibre/db/backend.py
++++ b/src/calibre/db/backend.py
+@@ -1917,18 +1917,20 @@ class DB:
+ fts_engine_query = unicode_normalize(fts_engine_query)
+ fts_table = 'annotations_fts_stemmed' if use_stemming else
'annotations_fts'
+ text = 'annotations.searchable_text'
++ data = []
+ if highlight_start is not None and highlight_end is not None:
+ if snippet_size is not None:
+- text = 'snippet({fts_table}, 0, "{highlight_start}",
"{highlight_end}", "…", {snippet_size})'.format(
+- fts_table=fts_table, highlight_start=highlight_start,
highlight_end=highlight_end,
+- snippet_size=max(1, min(snippet_size, 64)))
++ text = "snippet({fts_table}, 0, ?, ?, '…',
{snippet_size})".format(
++ fts_table=fts_table, snippet_size=max(1,
min(snippet_size, 64)))
+ else:
+- text = f'highlight({fts_table}, 0, "{highlight_start}",
"{highlight_end}")'
++ text = f"highlight({fts_table}, 0, ?, ?)"
++ data.append(highlight_start)
++ data.append(highlight_end)
+ query = 'SELECT {0}.id, {0}.book, {0}.format, {0}.user_type,
{0}.user, {0}.annot_data, {1} FROM {0} '
+ query = query.format('annotations', text)
+ query += ' JOIN {fts_table} ON annotations.id =
{fts_table}.rowid'.format(fts_table=fts_table)
+ query += f' WHERE {fts_table} MATCH ?'
+- data = [fts_engine_query]
++ data.append(fts_engine_query)
+ if restrict_to_user:
+ query += ' AND annotations.user_type = ? AND annotations.user = ?'
+ data += list(restrict_to_user)
+diff --git a/src/calibre/db/fts/connect.py b/src/calibre/db/fts/connect.py
+index 9ea3d5c..c575afb 100644
+--- a/src/calibre/db/fts/connect.py
++++ b/src/calibre/db/fts/connect.py
+@@ -156,20 +156,22 @@ class FTS:
+ return
+ fts_engine_query = unicode_normalize(fts_engine_query)
+ fts_table = 'books_fts' + ('_stemmed' if use_stemming else '')
++ data = []
+ if return_text:
+ text = 'books_text.searchable_text'
+ if highlight_start is not None and highlight_end is not None:
+ if snippet_size is not None:
+- text = f'snippet("{fts_table}", 0, "{highlight_start}",
"{highlight_end}", "…", {max(1, min(snippet_size, 64))})'
++ text = f'''snippet("{fts_table}", 0, ?, ?, '…', {max(1,
min(snippet_size, 64))})'''
+ else:
+- text = f'highlight("{fts_table}", 0, "{highlight_start}",
"{highlight_end}")'
++ text = f'''highlight("{fts_table}", 0, ?, ?)'''
++ data.append(highlight_start)
++ data.append(highlight_end)
+ text = ', ' + text
+ else:
+ text = ''
+ query = 'SELECT {0}.id, {0}.book, {0}.format {1} FROM {0}
'.format('books_text', text)
+ query += f' JOIN {fts_table} ON fts_db.books_text.id =
{fts_table}.rowid'
+ query += ' WHERE '
+- data = []
+ conn = self.get_connection()
+ temp_table_name = ''
+ if restrict_to_book_ids:
diff --git
a/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
b/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
new file mode 100644
index 0000000000..9565fc526b
--- /dev/null
+++
b/debian/patches/0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
@@ -0,0 +1,25 @@
+From: Kovid Goyal <ko...@kovidgoyal.net>
+Date: Tue, 30 Jul 2024 13:40:21 +0530
+Subject: Fix #2075130 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/2075130)
+
+Origin: backport,
https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7008
+---
+ src/calibre/srv/legacy.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py
+index fa54504..4c19b68 100644
+--- a/src/calibre/srv/legacy.py
++++ b/src/calibre/srv/legacy.py
+@@ -255,7 +255,7 @@ def browse(ctx, rd, rest):
+ if rest.startswith('book/'):
+ # implementation of https://bugs.launchpad.net/calibre/+bug/1698411
+ # redirect old server book URLs to new URLs
+- redirect = ctx.url_for(None) + '#book_id=' + rest[5:] +
"&panel=book_details"
++ redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) +
"&panel=book_details"
+ from lxml import etree as ET
+ return html(ctx, rd, endpoint,
+ E.html(E.head(
diff --git
a/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
b/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
new file mode 100644
index 0000000000..b21c67e7cd
--- /dev/null
+++
b/debian/patches/0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
@@ -0,0 +1,48 @@
+From: Kovid Goyal <ko...@kovidgoyal.net>
+Date: Tue, 30 Jul 2024 13:51:33 +0530
+Subject: Fix #2075128 [Private
+ bug](https://bugs.launchpad.net/calibre/+bug/2075128)
+
+Origin: backport,
https://github.com/kovidgoyal/calibre/commit/38a1bf50d8cd22052ae59c513816706c6445d5e9.patch
+Forwarded: not-needed
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-6782
+---
+ src/calibre/db/cli/cmd_list.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/calibre/db/cli/cmd_list.py b/src/calibre/db/cli/cmd_list.py
+index 9907b26..65935b5 100644
+--- a/src/calibre/db/cli/cmd_list.py
++++ b/src/calibre/db/cli/cmd_list.py
+@@ -36,6 +36,12 @@ def implementation(
+ db, notify_changes, fields, sort_by, ascending, search_text, limit,
template=None
+ ):
+ is_remote = notify_changes is not None
++ if is_remote:
++ # templates allow arbitrary code execution via python templates. We
++ # could possibly disallow only python templates but that is more work
++ # than I feel like doing for this, so simply ignore templates on
remote
++ # connections.
++ template = None
+ formatter = None
+ with db.safe_read_lock:
+ fm = db.field_metadata
+@@ -164,6 +170,8 @@ def do_list(
+ ):
+ if sort_by is None:
+ ascending = True
++ if dbctx.is_remote and (template or template_file or template_title):
++ raise SystemExit(_('The use of templates is disallowed when
connecting to remote servers for security reasons'))
+ if 'template' in (f.strip() for f in fields):
+ if template_file:
+ with open(template_file, 'rb') as f:
+@@ -334,7 +342,8 @@ List the books available in the calibre database.
+ parser.add_option(
+ '--template',
+ default=None,
+- help=_('The template to run if "{}" is in the field list. Default:
None').format('template')
++ help=_('The template to run if "{}" is in the field list. Note that
templates are ignored while connecting to a calibre server.'
++ ' Default: None').format('template')
+ )
+ parser.add_option(
+ '--template_file',
diff --git
a/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
b/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
new file mode 100644
index 0000000000..ac24875991
--- /dev/null
+++
b/debian/patches/0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
@@ -0,0 +1,25 @@
+From: Kovid Goyal <ko...@kovidgoyal.net>
+Date: Sun, 11 Aug 2024 20:18:29 +0530
+Subject: Fix #2076515 [calibredb list command ignores fields
+ option](https://bugs.launchpad.net/calibre/+bug/2076515)
+
+Origin: backport,
https://github.com/kovidgoyal/calibre/commit/34f7b9eaf4cba97412481f659abe35c3e85eb013.patch
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079277
+---
+ src/calibre/db/cli/cmd_list.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/calibre/db/cli/cmd_list.py b/src/calibre/db/cli/cmd_list.py
+index 65935b5..8dcb6e5 100644
+--- a/src/calibre/db/cli/cmd_list.py
++++ b/src/calibre/db/cli/cmd_list.py
+@@ -170,7 +170,7 @@ def do_list(
+ ):
+ if sort_by is None:
+ ascending = True
+- if dbctx.is_remote and (template or template_file or template_title):
++ if dbctx.is_remote and (template or template_file):
+ raise SystemExit(_('The use of templates is disallowed when
connecting to remote servers for security reasons'))
+ if 'template' in (f.strip() for f in fields):
+ if template_file:
diff --git a/debian/patches/series b/debian/patches/series
index c1beb78279..ce4f65d581 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,7 @@
0029-ERROR-Unhandled-exception-when-opening-Settings-Savi.patch
0030-fix-crash-in-Get-Books-when-regenerating-UIC-files-C.patch
0031-HTML-Input-Dont-add-resources-that-exist-outside-the.patch
+0032-Fix-2075131-Private-bug-https-bugs.launchpad.net-cal.patch
+0033-Fix-2075130-Private-bug-https-bugs.launchpad.net-cal.patch
+0034-Fix-2075128-Private-bug-https-bugs.launchpad.net-cal.patch
+0035-Fix-2076515-calibredb-list-command-ignores-fields-op.patch
--- End Message ---
