#1136055 trixie-pu: package calibre/8.5.0+ds-1+deb13u3

#1136055#5
Date:
2026-05-08 19:46:21 UTC
From:
To:
[ Reason ]
Fix Debian bug 1135543:
 calibre: upstream 9.8 contains unannounced security fixes
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135543

[ Impact ]
Some security issues unfixed.

[ Tests ]
Build time test was passed.

[ Risks ]
Not well tested on trixie machine.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
High severity:
  - Fix typo normapth -> normpath in srv/content.py (broken endpoint)
  - Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
  - Log exceptions in FunctionDispatcher.dispatch instead of swallowing

Medium severity:
  - Add path traversal protection to DirContainer read/write/exists
  - Fix XPath injection in comments_editor.py merge_contiguous_links
  - Use parameterized SQL queries in database2.py library_id setter
  - Add safety comment to pickle_loads in utils/serialize.py

[ Other info ]
Upstream disscussion about this fix:
https://github.com/kovidgoyal/calibre/pull/3101
Examine debdiff update from online:
https://github.com/debian-
calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...debian/trixie

#1136055#12
Date:
2026-05-08 19:56:18 UTC
From:
To:
Hi,

That should IMHO get its metadata fixed, that is get the bug fixed in
9.8.0+ds+~0.10.5-1 and so add a founds version in an anchor of the
trixie version.

Can you ask upstream if they will publish a GHSA for both issues
eparately and request CVEs?

Regards,
Salvatore

#1136055#19
Date:
2026-05-10 14:06:19 UTC
From:
To:
Hello Salvatore,

I was updated metadata.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135543

And I also update salsa and make new debdiff.
https://github.com/debian-calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...debian/trixie

I asked upstream, but he will not publish GHSA.

#1136055#26
Date:
2026-05-24 06:57:45 UTC
From:
To:
I make more fix as deb13u4.
So, online examine path for deb13u3 fix was changed.
https://github.com/debian-calibre/calibre/compare/debian/8.5.0+ds-1+deb13u2...15e9d5649d1ff27e8bbd033309546080c0b8797c

Please confirm deb13u3 fix before deb13u4 fix.

#1136055#33
Date:
2026-05-24 09:14:36 UTC
From:
To:
Can you please squash all fixes into version +deb13u3 and send one debdiff.

Thanks,

#1136055#40
Date:
2026-05-24 23:56:33 UTC
From:
To:
Unify u3 and u4 into one debdiff.
I also update salsa.

#1136055#47
Date:
2026-05-31 11:13:40 UTC
From:
To:
Hi,

Please go ahead.

Thanks,