Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:calibre User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2026-33205 [ Impact ] A Server-Side Request Forgery vulnerability is unfixed. [ Tests ] Build time automated test was successful. [ Risks ] Not well tested on bookworm machine. Calibre v6.13.0 code is differ from current upstream code, so I rewrite the patch for v6.13.0. (Big change was happen in v7.6.0) This means the fix is less reliable than trixie's fix. Please review more carefully than trixie's CVE-2026-33205 fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2026-33205 [ Other info ] * Server-Side Request Forgery in ebook viewer backend https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v * E-book viewer: prevent reading background images https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4 * Examine this fix from online https://github.com/debian- calibre/calibre/compare/debian/6.13.0+repack-2+deb12u8...bookworm-update
diff -Nru calibre-6.13.0+repack/debian/changelog calibre-6.13.0+repack/debian/changelog --- calibre-6.13.0+repack/debian/changelog 2026-05-24 14:19:11.000000000 +0900 +++ calibre-6.13.0+repack/debian/changelog 2026-05-27 23:52:50.000000000 +0900 @@ -1,3 +1,10 @@ +calibre (6.13.0+repack-2+deb12u9) bookworm; urgency=medium + + * CVE-2026-33205: E-book viewer: prevent reading background images from + outside the config dir + + -- YOKOTA Hiroshi <[email protected]> Wed, 27 May 2026 23:52:50 +0900 + calibre (6.13.0+repack-2+deb12u8) bookworm; urgency=medium * Add comment for unused fix diff -Nru calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch --- calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch 1970-01-01 09:00:00.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch 2026-05-27 23:52:16.000000000 +0900 @@ -0,0 +1,37 @@ +From: Kovid Goyal <[email protected]> +Date: Mon, 16 Mar 2026 08:50:19 +0530 +Subject: CVE-2026-33205: E-book viewer: prevent reading background images + from outside the config dir + +Forwarded: not-needed +Bug: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v +Origin: https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4 + +Signed-off-by: YOKOTA Hiroshi <[email protected]> +--- + src/calibre/gui2/viewer/web_view.py | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/calibre/gui2/viewer/web_view.py b/src/calibre/gui2/viewer/web_view.py +index fc077f1..0ea687c 100644 +--- a/src/calibre/gui2/viewer/web_view.py ++++ b/src/calibre/gui2/viewer/web_view.py +@@ -80,13 +80,16 @@ def get_data(name): + def background_image(): + ans = getattr(background_image, 'ans', None) + if ans is None: +- img_path = os.path.join(viewer_config_dir, 'bg-image.data') ++ base = os.path.abspath(viewer_config_dir) + os.sep ++ img_path = os.path.abspath(os.path.join(base, 'bg-image.data')) ++ if not img_path.startswith(base): ++ return 'image/jpeg', b'' + if os.path.exists(img_path): + with open(img_path, 'rb') as f: + data = f.read() + mt, data = data.split(b'|', 1) + else: +- ans = b'image/jpeg', b'' ++ return 'image/jpeg', b'' + ans = background_image.ans = mt.decode('utf-8'), data + return ans + diff -Nru calibre-6.13.0+repack/debian/patches/series calibre-6.13.0+repack/debian/patches/series --- calibre-6.13.0+repack/debian/patches/series 2026-05-24 14:19:11.000000000 +0900 +++ calibre-6.13.0+repack/debian/patches/series 2026-05-27 23:52:16.000000000 +0900 @@ -44,3 +44,4 @@ 0044-Fix-security-vulnerabilities-and-code-quality-issues.patch 0045-CVE-2026-30853-RB-Input-Ensure-files-are-extracted-w.patch 0046-CVE-2026-33206-TXT-Input-Ensure-resource-files-are-r.patch +0047-CVE-2026-33205-E-book-viewer-prevent-reading-backgro.patch
