Bug 22814 - calibre new security issue CVE-2018-7889
Summary: calibre new security issue CVE-2018-7889
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-21 19:43 CET by David Walser
Modified: 2018-10-20 15:49 CEST (History)
6 users (show)

See Also:
Source RPM: calibre-2.85.1-2.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 3.19.0


Attachments

Description David Walser 2018-03-21 19:43:05 CET
Fedora has issued an advisory on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/

It sounds like there's more to this issue than just the one patch linked from the RedHat bug, and upgrading to 3.19.0 is the only way to safely fix all of it.
David Walser 2018-03-21 19:45:31 CET

Status comment: (none) => Fixed upstream in 3.19.0

Comment 1 Marja Van Waes 2018-03-22 17:30:16 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => tarakbumba

Comment 2 Samuel Verschelde 2018-09-21 09:40:19 CEST
Reassigning to all packagers collectively as the original maintainer is not available anymore (thanks for all your work Atilla!).

Assignee: tarakbumba => pkg-bugs

Comment 3 Bruno Cornec 2018-10-15 02:29:57 CEST
version 3.27.1 pushed also to mga6 to solve that issue.

CC: (none) => bruno
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2018-10-15 04:16:32 CEST
Besides calibre-3.27.1-1.mga6, IIRC, I saw you push some other packages to mga6 updates_testing in the last few days that were deps for this package.  You need to list those packages (SRPMS and RPMS) and provide a note as to why they needed to be updated.

Keywords: (none) => feedback

Comment 5 Bruno Cornec 2018-10-15 19:54:33 CEST
Indeed David python-html5-parser had to be added to MGA6 as it's a new dependency for calibre since version 3.5.0 and was required to allow calibre to be built. 

I pushed the SRPM python-html5-parser-0.4.4-2.mga6.src.rpm and the corresponding RPMS python-html5-parser-0.4.4-1.1.mga6.x86_64.rpm & python3-html5-parser-0.4.4-2.mga6.x86_64.rpm
Comment 6 David Walser 2018-10-15 20:03:47 CEST
Thanks :D

Advisory:
========================

Updated calibre package fixes security vulnerability:

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported
bookmark data, which allows remote attackers to execute arbitrary code via a
crafted .pickle file, as demonstrated by Python code that contains an os.system
call (CVE-2018-7889).

The python-html5-parser package is a new dependency for the updated calibre
package and has been included with this update.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7889
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUNMTXK3UTN636LOBG63UDSTVM4AF26T/
========================

Updated packages in core/updates_testing:
========================
python-html5-parser-0.4.4-1.1.mga6
python3-html5-parser-0.4.4-1.1.mga6
calibre-3.27.1-1.mga6

from SRPMS:
python-html5-parser-0.4.4-1.1.mga6.src.rpm
calibre-3.27.1-1.mga6.src.rpm

Keywords: feedback => (none)

Comment 7 PC LX 2018-10-16 13:05:46 CEST
Installed and tested with ONE ISSUE FOUND.

TL;DR:
The package calibre needs to depend on the package python-msgpack to fix a missing package error.


Tests included:
- Reading books;
- Adding books;
- Deleting books;
- Managing metadata;
- Downloading metadata from google and amazon;
- Converting formats;
- FAILED: Content server DOES NOT WORK due to a missing package "python-msgpack" (see error below). After installing the missing package the issue is resolved. To solve this a dependency is needs to be added to the calibre package.

Missing package error:
=========================================================calibre, version 3.27.1
ERRO: Exceção não tratada: <b>ImportError</b>:No module named msgpack

calibre 3.27.1  embedded-python: False is64bit: True
Linux-4.14.70-desktop-2.mga6-x86_64-with-mageia-6-Official Linux ('64bit', 'ELF')
('Linux', '4.14.70-desktop-2.mga6', '#1 SMP Thu Sep 20 22:05:46 UTC 2018')
Python 2.7.15
Linux: ('Mageia', '6', 'Official')
Interface language: pt
Traceback (most recent call last):
  File "/usr/lib64/calibre/calibre/gui2/actions/device.py", line 215, in toggle_content_server
    self.gui.start_content_server()
  File "/usr/lib64/calibre/calibre/gui2/ui.py", line 482, in start_content_server
    from calibre.srv.embedded import Server
  File "/usr/lib64/calibre/calibre/srv/embedded.py", line 13, in <module>
    from calibre.srv.handler import Handler
  File "/usr/lib64/calibre/calibre/srv/handler.py", line 13, in <module>
    from calibre.srv.routes import Router
  File "/usr/lib64/calibre/calibre/srv/routes.py", line 15, in <module>
    from calibre.utils.serialize import msgpack_dumps, json_dumps, MSGPACK_MIME
  File "/usr/lib64/calibre/calibre/utils/serialize.py", line 10, in <module>
    import msgpack
ImportError: No module named msgpack
=========================================================

$ uname -a
Linux marte 4.14.70-desktop-2.mga6 #1 SMP Thu Sep 20 22:05:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ LANGUAGE=C urpmi calibre
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  python-chardet                 2.3.0        3.mga6        noarch  
  python-regex                   2015.11.22   1.mga6        x86_64  
(medium "Core Updates Testing")
  calibre                        3.27.1       1.mga6        x86_64  
  python-html5-parser            0.4.4        1.1.mga6      x86_64  
  python-lxml                    3.8.0        1.1.mga6      x86_64  
3.8MB of additional disk space will be used.
29MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) 
<SNIP>

CC: (none) => mageia

Comment 8 Bruno Cornec 2018-10-17 01:27:17 CEST
Thanks for your test. Package updated to include the missing dep in  calibre-3.27.1-2.mga6
Comment 9 PC LX 2018-10-17 11:13:43 CEST
Installed and tested without issues.

The issue, missing dependency for package python-msgpack, referred in comment #7 is fixed.

$ LANGUAGE=C urpmi calibre 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  python-msgpack                 0.4.6        3.mga6        x86_64  
(medium "Core Updates Testing")
  calibre                        3.27.1       2.mga6        x86_64  
253KB of additional disk space will be used.
28MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n)

Whiteboard: (none) => MGA6-64-OK

Comment 10 David Walser 2018-10-17 20:27:52 CEST
Bruno, please remember to use a subrel when making such fixes the future instead of bumping the rel (but thanks for fix).
Comment 11 Bruno Cornec 2018-10-18 21:07:19 CEST
I'm not sure I get the rule :-( For lilypond you asked me to *not* use subrel to avoid the mga7 version to be lower than the mga6 so that's what I applied here. (BTW calibre in mga7 has the tag 3, so will be higher). Let me know what I'm missing.
Comment 12 David Walser 2018-10-18 21:30:44 CEST
It's very simple.  When you upgrade a package to a new version (as you did with lilypond), the release tag is 1 and there is no subrel, just as in Cauldron.  For stable releases, whenever you rebuild an existing version of a package, you always increment the subrel (or add it if there isn't one).  At no time do you ever increment a release tag in stable releases.
Comment 13 Thomas Andrews 2018-10-18 22:55:54 CEST
Validating. Suggested advisory in Comment 6 needs to be updated to include the missing dep from the first test.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-19 17:57:20 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 14 Mageia Robot 2018-10-19 20:01:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0399.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 15 Thomas Backlund 2018-10-20 15:49:23 CEST
python-lxml-3.8.0-1.1.mga6 was missed from the advisory, causing bug 23737...

now fixed

Note You need to log in before you can comment on or make changes to this bug.