Ubuntu
calibre package

[CVE] JavaScript in a book can access local files using XMLHttpRequest

Bug #1758699 reported by Simon Quigley
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Simon Quigley
Xenial
Fix Released
Medium
Simon Quigley
Artful
Fix Released
Medium
Simon Quigley

Bug Description

For CVE-2016-10187:
The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with JavaScript.

For CVE-2018-7889:
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

See original description

CVE References

Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Trusty):
importance: Undecided → Medium
Changed in calibre (Ubuntu Xenial):
importance: Undecided → Medium
Changed in calibre (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I have uploaded these fixes (for Xenial and Trusty) to a fresh test PPA of mine with all architectures switched on and only the security repo enabled. I then tested both in VMs of each release, and they work as intended. It also fixes the security issue.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878700/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878706/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Changed in calibre (Ubuntu Trusty):
status: New → In Progress
Changed in calibre (Ubuntu Xenial):
status: New → In Progress
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Marc Deslauriers pointed out to me over IRC that Trusty and Xenial are also vulnerable to CVE-2018-7889.

So Trusty and Xenial need to receive patches for CVE-2016-10187 and CVE-2018-7889 while Artful just needs the patch for CVE-2018-7889.

I think it makes sense to mark the separate bug I filed for CVE-2018-7889 a duplicate of this one.

I'll update my PPA and test with this new information, and I'll report back.

Thanks!

description: updated
Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Artful):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Simon Quigley (tsimonq2)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

No candidate patches, yet.

Changed in calibre (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in calibre (Ubuntu Xenial):
status: In Progress → Confirmed
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I have reached a point where I would like some guidance as to the contents of the patch for the CVE-2018-7889 Trusty backport.

So, this is the line in src/calibre/gui2/viewer/bookmarkmanager.py that has been patched upstream for this:

     def item_to_bm(self, item):
- return cPickle.loads(bytes(item.data(Qt.UserRole)))
+ return item.data(Qt.UserRole).copy()

( https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d )

Here is my attempt to backport it:

     def item_to_bm(self, item):
- return cPickle.loads(bytes(item.data(Qt.UserRole).toPyObject()))
+ return item.data(Qt.UserRole).copy()

This errors out on runtime with this error: "AttributeError: 'QVariant' object has no attribute 'copy'"

I tried changing "return item.data(Qt.UserRole).copy()" to "return item.data(Qt.UserRole).toPyObject().copy()" but I'm thrown "TypeError: key PyQt4.QtCore.QString(u'pos') is not a string"

I expect that there are somewhat significant codebase differences due to the fact that Trusty is based off of PyQt4 while Bionic is based off of PyQt5, but I am a bit stumped at why this error would be thrown.

I've subscribed Marc directly because I have worked with him on this (briefly, via IRC), and I'm a bit out of time at the moment (18.04 is near) to be researching old PyQt4 syntax, but if I'm missing something obvious, please yell.

Thanks.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

In the meantime, I have updated my PPA with working fixes (I tested each in a fresh VM; they work as intended and fix the security issue) for Xenial and Artful.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8981311/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8981308/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 2.55.0+dfsg-1ubuntu0.2

---------------
calibre (2.55.0+dfsg-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: JavaScript in a book can access local files using
    XMLHttpRequest (LP: #1758699).
    - fix-CVE-2016-10187.patch
    - CVE-2016-10187
  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON.
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Wed, 11 Apr 2018 23:50:09 -0500

Changed in calibre (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 3.7.0+dfsg-2ubuntu0.1

---------------
calibre (3.7.0+dfsg-2ubuntu0.1) artful-security; urgency=medium

  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON (LP: #1758699).
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Thu, 12 Apr 2018 00:02:07 -0500

Changed in calibre (Ubuntu Artful):
status: Confirmed → Fix Released
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Here is the last patch for Trusty:

https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8982687/+listing-archive-extra

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 1.25.0+dfsg-1ubuntu1.2

---------------
calibre (1.25.0+dfsg-1ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: JavaScript in a book can access local files using
    XMLHttpRequest (LP: #1758699).
    - fix-CVE-2016-10187.patch
    - CVE-2016-10187
  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON (LP: #1758699).
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Thu, 12 Apr 2018 16:06:17 -0500

Changed in calibre (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.