Advisories ยป MGASA-2018-0399

Updated calibre packages fix security vulnerability

Publication date: 19 Oct 2018
Modification date: 20 Oct 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-7889

Description

Updated calibre package fixes security vulnerability:

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on
imported bookmark data, which allows remote attackers to execute arbitrary
code via a crafted .pickle file, as demonstrated by Python code that
contains an os.system call (CVE-2018-7889).

The python-html5-parser package is a new dependency for the updated calibre
package and has been included with this update.
                

References

SRPMS

6/core