#1135543 calibre: upstream 9.8 contains unannounced security fixes; please review affected Debian versions

Package:
calibre
Source:
calibre
Submitter:
Karl Jonatan Nyberg
Date:
2026-05-10 13:39:01 UTC
Severity:
normal
Tags:
#1135543#5
Date:
2026-05-02 12:44:33 UTC
From:
To:
Dear Maintainer,

I would like to report that upstream calibre contains a public commit titled
"Fix security vulnerabilities and code quality issues":

https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166

The commit date is Tue, 21 Apr 2026. The commit message explicitly lists
multiple security-related fixes, including:

High severity:
- Fix typo normapth -> normpath in srv/content.py (broken endpoint)
- Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
- Log exceptions in FunctionDispatcher.dispatch instead of swallowing

Medium severity:
- Add path traversal protection to DirContainer read/write/exists
- Fix XPath injection in comments_editor.py merge_contiguous_links
- Use parameterized SQL queries in database2.py library_id setter
- Add safety comment to pickle_loads in utils/serialize.py

However, these fixes do not appear to be mentioned in the upstream calibre
9.8 release notes:

https://calibre-ebook.com/whats-new

The 9.8 release notes list new features and ordinary bug fixes, but I do not
see these security-related fixes or CVE references mentioned there.

Debian unstable currently has calibre 9.8.0+ds+~0.10.5-1, which appears likely
to include the upstream fixes. However, Debian testing/stable/backports may
still contain older versions, so I think this should be reviewed for Debian
security tracking and possible backports.

Please could you check whether the issues fixed by the upstream commit affect
the Debian-packaged versions, especially testing/stable/backports, and whether
they should receive CVE/security-tracker entries or Debian security updates?

I am not including exploit details; the concern is based on the public upstream
commit message and the absence of corresponding release-note/security-tracker
visibility.

Relevant upstream commit:
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166

Upstream 9.8 release notes:
https://calibre-ebook.com/whats-new

Debian package tracker:
https://tracker.debian.org/pkg/calibre

#1135543#10
Date:
2026-05-02 13:24:43 UTC
From:
To:
Hello Karl,

This issue was reported in upstream pull request:
https://github.com/kovidgoyal/calibre/pull/3101

And upstream author said "None of these are security issues".
https://github.com/kovidgoyal/calibre/pull/3101#issuecomment-4289099827