Commit ef2f8d10 authored by Brian May's avatar Brian May

Mark calibre CVE-2018-7889 in wheezy

There is no known fix for this, and a true fix is not possible
without changing the configuration file formats not to allow
executable code.

See:
* https://lists.debian.org/debian-lts/2018/04/msg00098.html
* https://lists.debian.org/debian-lts/2018/05/msg00009.html
parent 4da8de7a
......@@ -6829,6 +6829,7 @@ CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on ...)
- calibre 3.19.0+dfsg-1 (bug #892242)
[wheezy] - calibre <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/calibre/+bug/1753870
NOTE: deserialization fix https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
NOTE: insufficient as import also loads configuration files, which are python executables,
......@@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
apache2 (Roberto C. Sánchez)
--
calibre (Brian May)
NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo)
NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo)
--
cups (Thorsten Alteholz)
NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz)
--
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment