Dear Maintainer,
I would like to report that upstream calibre contains a public commit titled
"Fix security vulnerabilities and code quality issues":
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
The commit date is Tue, 21 Apr 2026. The commit message explicitly lists
multiple security-related fixes, including:
High severity:
- Fix typo normapth -> normpath in srv/content.py (broken endpoint)
- Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
- Log exceptions in FunctionDispatcher.dispatch instead of swallowing
Medium severity:
- Add path traversal protection to DirContainer read/write/exists
- Fix XPath injection in comments_editor.py merge_contiguous_links
- Use parameterized SQL queries in database2.py library_id setter
- Add safety comment to pickle_loads in utils/serialize.py
However, these fixes do not appear to be mentioned in the upstream calibre
9.8 release notes:
https://calibre-ebook.com/whats-new
The 9.8 release notes list new features and ordinary bug fixes, but I do not
see these security-related fixes or CVE references mentioned there.
Debian unstable currently has calibre 9.8.0+ds+~0.10.5-1, which appears likely
to include the upstream fixes. However, Debian testing/stable/backports may
still contain older versions, so I think this should be reviewed for Debian
security tracking and possible backports.
Please could you check whether the issues fixed by the upstream commit affect
the Debian-packaged versions, especially testing/stable/backports, and whether
they should receive CVE/security-tracker entries or Debian security updates?
I am not including exploit details; the concern is based on the public upstream
commit message and the absence of corresponding release-note/security-tracker
visibility.
Relevant upstream commit:
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
Upstream 9.8 release notes:
https://calibre-ebook.com/whats-new
Debian package tracker:
https://tracker.debian.org/pkg/calibre