Bug 29803

Summary: calibre new security issue CVE-2021-44686
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, smelror, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: calibre-4.23.0-7.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-12-22 16:57:52 CET 
Fedora has issued an advisory today (December 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7QKFPYJ23KG6WJ5NIYAM4N2NWZCLQGL/

The issue is fixed upstream in 5.32.0.

Mageia 8 is also affected.
David Walser 2021-12-22 16:58:06 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-12-22 19:36:46 CET 
Seems best to assign this to Stig, official maintainer even though you have not touched it for ages (Update to version 4.23.0).

Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2021-12-27 00:42:23 CET 
Fix pushed in mga 8/9

src:
    - calibre-4.23.0-3.1.mga8

CC: (none) => mageia, smelror
Assignee: smelror => qa-bugs
Status comment: Patch available from Fedora => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2021-12-27 23:50:40 CET 
mga8, x64
Went ahead with this on the assumption that only one update file is involved.Calibre already installed and database established in ~/'Calibre Library'.
Clean update to calibre-4.23.0-3.1.mga8.
Launched the application from system menus and loaded an existing epub book from the library and perused it.  Did the same for a PDF.  Converted an external PDF to standard epub format and opened that in the Viewer.  Used the "get books" facility to search on Entanglement and download a specific choice in epub format from archive.org but that failed.  Found the same book via Project Gutenberg and downloaded it as a PDF.  It could be read OK, unintelligible for the layman.  Examined tags for various items in the library.  Closed down then restarted from the cli.  The new book was there.  Selected and deleted the new book.  It was definitely gone on the next run.

No regressions so it can be sent on.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-12-27 23:58:18 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-30 03:50:03 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-12-30 17:43:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0593.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED