CVE-2023-46303 (https://github.com/kovidgoyal/calibre/compare/v6.18.1...v6.19.0): link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root. This seems like not SSRF. I *guess* it's more of an LFI but I'm not even sure if this is entirely undesirable behavior in conversion operations. Doesn't seem like there's an upstream report.
> Doesn't seem like there's an upstream report. Of course, I've asked: https://github.com/0x1717/ssrf-via-img/issues/1
It is fixed upstream: https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b But lacks proper documentation on the communication that went on and isn't tagged with a CVE in the calibre commit logs. I'll also note that the demo repository was committed about one hour before the calibre commit that fixed it -- and 22 hours before the fixed version. I do not know what time the repo was made public ;) but clearly they were in communication. The CVE notes that it is present "in calibre before 6.19.0" and that is indeed when the commit in question was released. calibre is NOT stabled in 6.29, only in 5.x, and I had to drop keywords to update to 6.x at all -- what do I do for the dropped keywords here?
The backport to 5.x is trivial and I have tested calibre-5.44.0-r2 and -r3 to confirm that the CVE exists in the former and does not exist in the latter.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20cd7b8cadeb67402a3c8f067df2b7aabcd85923 commit 20cd7b8cadeb67402a3c8f067df2b7aabcd85923 Author: Eli Schwartz <eschwartz93@gmail.com> AuthorDate: 2023-11-28 00:22:43 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-11-28 00:40:07 +0000 app-text/calibre: backport fix for CVE-2023-46303 to the 5.x branch Bug: https://bugs.gentoo.org/918429 Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/34022 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-text/calibre/calibre-5.44.0-r3.ebuild | 269 +++++++++++++++++++++ ...Dont-add-resources-that-exist-outside-the.patch | 55 +++++ 2 files changed, 324 insertions(+)
Thanks! Please stabilize when ready.
Sorry, forgot to tag. commit c40d74ff97efd61cdee3d0c56145869fa0a5130f Author: Eli Schwartz <eschwartz93@gmail.com> AuthorDate: Thu Jan 18 23:05:47 2024 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: Fri Jan 19 00:20:23 2024 app-text/calibre: drop old 5.44.0-r2 is pre-CVE backport and superseded by -r3. The 7.0.0 and 7.1.0 versions were never stabled, and 7.2.0 leapfrogged over. So stable that instead. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/34892 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-text/calibre/Manifest | 4 --- app-text/calibre/calibre-5.44.0-r2.ebuild | 266 ----------------------------------------------------------------------------------------------------------------------------------------------------------------- app-text/calibre/calibre-7.0.0.ebuild | 242 -------------------------------------------------------------------------------------------------------------------------------------------------- app-text/calibre/calibre-7.1.0.ebuild | 242 -------------------------------------------------------------------------------------------------------------------------------------------------- 4 files changed, 754 deletions(-)
