- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- YOKOTA Hiroshi
- Date:
- 2026-05-31 11:15:02 UTC
- Severity:
- normal
- Tags:
[ Reason ] Fix Debian bug 1135543: calibre: upstream 9.8 contains unannounced security fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135543 [ Impact ] Some security issues unfixed. [ Tests ] Build time test was passed. [ Risks ] Not well tested on trixie machine. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] High severity: - Fix typo normapth -> normpath in srv/content.py (broken endpoint) - Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py - Log exceptions in FunctionDispatcher.dispatch instead of swallowing Medium severity: - Add path traversal protection to DirContainer read/write/exists - Fix XPath injection in comments_editor.py merge_contiguous_links - Use parameterized SQL queries in database2.py library_id setter - Add safety comment to pickle_loads in utils/serialize.py [ Other info ] Upstream disscussion about this fix: https://github.com/kovidgoyal/calibre/pull/3101 Examine debdiff update from online: https://github.com/debian- calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...debian/trixie
Hi, That should IMHO get its metadata fixed, that is get the bug fixed in 9.8.0+ds+~0.10.5-1 and so add a founds version in an anchor of the trixie version. Can you ask upstream if they will publish a GHSA for both issues eparately and request CVEs? Regards, Salvatore
Hello Salvatore, I was updated metadata. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135543 And I also update salsa and make new debdiff. https://github.com/debian-calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...debian/trixie I asked upstream, but he will not publish GHSA.
I make more fix as deb13u4. So, online examine path for deb13u3 fix was changed. https://github.com/debian-calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...15e9d5649d1ff27e8bbd033309546080c0b8797c Please confirm deb13u3 fix before deb13u4 fix.
Can you please squash all fixes into version +deb13u3 and send one debdiff. Thanks,
Unify u3 and u4 into one debdiff. I also update salsa.
Hi, Please go ahead. Thanks,