Jump to:

CVE-2018-7889

Jump to:

CVE-2018-7889

Package calibre updated to version 3.19.0-alt1 for branch sisyphus in task 202546.

Published: 2018-03-08
Modified: 2024-11-21

CVE-2018-7889

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

Severity: MEDIUM (6.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

https://bugs.launchpad.net/calibre/+bug/1753870
https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
https://bugs.launchpad.net/calibre/+bug/1753870
https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d

Version: 2.1.2

Package calibre update in sisyphus on 2018-03-20

ALT-PU-2018-1454-1

Closed vulnerabilities

CVE-2018-7889