https://calibre-ebook.com/whats-new for 7.16.0 Remote code execution: A remote code execution bug in the Content server introduced in calibre version 6.9.0 (released on 2022-11-25) means that anyone with access to the server also has access to the rest of the computer the server is running on. If you are using a password to protect access to the server only people that know the password can gain access via the bug. Path traversal: A bug in a feature introduced in calibre version 6.16.0 (released 2023-04-20) means anyone with access to the server can also read non calibre related files on the computer running the server. SQL injection: A bug in a feature introduced in calibre version 6.10.0 (released 2022-12-16) means anyone with access to the server can also read non-calibre SQLITE database files on the computer running the server. XSS: Only relevant if you embed the calibre server within a larger server, it means attackers who can convince users to click on a specially crafted link, can run JavaScript code with the same origin as the larger server calibre is embedded in.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34c67cbd5d13469221f14e46981a8e6a91fb2068 commit 34c67cbd5d13469221f14e46981a8e6a91fb2068 Author: Eli Schwartz <eschwartz@gentoo.org> AuthorDate: 2024-07-31 03:49:37 +0000 Commit: Eli Schwartz <eschwartz@gentoo.org> CommitDate: 2024-07-31 03:51:38 +0000 app-text/calibre: backport fix for CVE-2024-7008 to 5.44 Although 4 CVEs were fixed in 7.16.0, only one of them (relatively minor) is present in 5.x. Bug: https://bugs.gentoo.org/936961 Signed-off-by: Eli Schwartz <eschwartz@gentoo.org> ...e-5.44.0-r4.ebuild => calibre-5.44.0-r5.ebuild} | 2 ++ .../files/calibre-5.44.0-xss-backport.patch | 33 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d31278435e4ad4d009120729d694cf3d06653e34 commit d31278435e4ad4d009120729d694cf3d06653e34 Author: Eli Schwartz <eschwartz@gentoo.org> AuthorDate: 2024-07-31 03:35:06 +0000 Commit: Eli Schwartz <eschwartz@gentoo.org> CommitDate: 2024-07-31 03:51:37 +0000 app-text/calibre: add 7.16.0 Bug: https://bugs.gentoo.org/936961 Signed-off-by: Eli Schwartz <eschwartz@gentoo.org> app-text/calibre/Manifest | 2 + app-text/calibre/calibre-7.16.0.ebuild | 243 +++++++++++++++++++++++++++++++++ 2 files changed, 245 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd95a78b278fdb5caf1e1bd86d9c4cd72a1e56d8 commit dd95a78b278fdb5caf1e1bd86d9c4cd72a1e56d8 Author: Eli Schwartz <eschwartz@gentoo.org> AuthorDate: 2024-08-14 22:22:46 +0000 Commit: Eli Schwartz <eschwartz@gentoo.org> CommitDate: 2024-08-16 01:12:37 +0000 app-text/calibre: drop old for security cleanup Bug: https://bugs.gentoo.org/936961 Signed-off-by: Eli Schwartz <eschwartz@gentoo.org> app-text/calibre/Manifest | 2 - app-text/calibre/calibre-5.44.0-r3.ebuild | 273 ------------------------------ app-text/calibre/calibre-7.13.0.ebuild | 243 -------------------------- 3 files changed, 518 deletions(-)
