Mageia Advisory: MGASA-2018-0399 - Updated calibre packages fix security vulnerability

Updated calibre packages fix security vulnerability

Publication date: 19 Oct 2018
Modification date: 20 Oct 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-7889

Description

Updated calibre package fixes security vulnerability:

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on
imported bookmark data, which allows remote attackers to execute arbitrary
code via a crafted .pickle file, as demonstrated by Python code that
contains an os.system call (CVE-2018-7889).

The python-html5-parser package is a new dependency for the updated calibre
package and has been included with this update.

References

https://bugs.mageia.org/show_bug.cgi?id=22814
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7889

SRPMS

6/core

calibre-3.27.1-2.mga6
python-html5-parser-0.4.4-1.1.mga6
python-lxml-3.8.0-1.1.mga6

Advisories » MGASA-2018-0399

Updated calibre packages fix security vulnerability

Description

References

SRPMS

6/core