Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 936961 (CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009) - <app-text/calibre-7.16.0: various exploits against the content server
Summary: <app-text/calibre-7.16.0: various exploits against the content server
Status: RESOLVED FIXED
Alias: CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: C1 [glsa+]
Keywords:
Depends on: 936963 936964
Blocks:
  Show dependency tree
 
Reported: 2024-07-31 03:43 UTC by Eli Schwartz
Modified: 2024-09-22 05:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eli Schwartz gentoo-dev 2024-07-31 03:43:01 UTC
https://calibre-ebook.com/whats-new for 7.16.0

Remote code execution:
A remote code execution bug in the Content server introduced in calibre version 6.9.0 (released on 2022-11-25) means that anyone with access to the server also has access to the rest of the computer the server is running on. If you are using a password to protect access to the server only people that know the password can gain access via the bug.


Path traversal:
A bug in a feature introduced in calibre version 6.16.0 (released 2023-04-20) means anyone with access to the server can also read non calibre related files on the computer running the server.


SQL injection:
A bug in a feature introduced in calibre version 6.10.0 (released 2022-12-16) means anyone with access to the server can also read non-calibre SQLITE database files on the computer running the server.


XSS:
Only relevant if you embed the calibre server within a larger server, it means attackers who can convince users to click on a specially crafted link, can run JavaScript code with the same origin as the larger server calibre is embedded in.
Comment 1 Larry the Git Cow gentoo-dev 2024-07-31 03:53:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34c67cbd5d13469221f14e46981a8e6a91fb2068

commit 34c67cbd5d13469221f14e46981a8e6a91fb2068
Author:     Eli Schwartz <eschwartz@gentoo.org>
AuthorDate: 2024-07-31 03:49:37 +0000
Commit:     Eli Schwartz <eschwartz@gentoo.org>
CommitDate: 2024-07-31 03:51:38 +0000

    app-text/calibre: backport fix for CVE-2024-7008 to 5.44
    
    Although 4 CVEs were fixed in 7.16.0, only one of them (relatively
    minor) is present in 5.x.
    
    Bug: https://bugs.gentoo.org/936961
    Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>

 ...e-5.44.0-r4.ebuild => calibre-5.44.0-r5.ebuild} |  2 ++
 .../files/calibre-5.44.0-xss-backport.patch        | 33 ++++++++++++++++++++++
 2 files changed, 35 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d31278435e4ad4d009120729d694cf3d06653e34

commit d31278435e4ad4d009120729d694cf3d06653e34
Author:     Eli Schwartz <eschwartz@gentoo.org>
AuthorDate: 2024-07-31 03:35:06 +0000
Commit:     Eli Schwartz <eschwartz@gentoo.org>
CommitDate: 2024-07-31 03:51:37 +0000

    app-text/calibre: add 7.16.0
    
    Bug: https://bugs.gentoo.org/936961
    Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>

 app-text/calibre/Manifest              |   2 +
 app-text/calibre/calibre-7.16.0.ebuild | 243 +++++++++++++++++++++++++++++++++
 2 files changed, 245 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-08-16 01:16:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd95a78b278fdb5caf1e1bd86d9c4cd72a1e56d8

commit dd95a78b278fdb5caf1e1bd86d9c4cd72a1e56d8
Author:     Eli Schwartz <eschwartz@gentoo.org>
AuthorDate: 2024-08-14 22:22:46 +0000
Commit:     Eli Schwartz <eschwartz@gentoo.org>
CommitDate: 2024-08-16 01:12:37 +0000

    app-text/calibre: drop old for security cleanup
    
    Bug: https://bugs.gentoo.org/936961
    Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>

 app-text/calibre/Manifest                 |   2 -
 app-text/calibre/calibre-5.44.0-r3.ebuild | 273 ------------------------------
 app-text/calibre/calibre-7.13.0.ebuild    | 243 --------------------------
 3 files changed, 518 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-22 05:54:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f7ca4470b0c876ba704ac6e0ddc1bb84ecfdac31

commit f7ca4470b0c876ba704ac6e0ddc1bb84ecfdac31
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 05:54:09 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 05:54:22 +0000

    [ GLSA 202409-04 ] calibre: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918429
    Bug: https://bugs.gentoo.org/936961
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-04.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)