#1138069 bookworm-pu: package calibre/6.13.0+repack-2+deb12u9

#1138069#5
Date:
2026-05-27 23:43:30 UTC
From:
To:
[ Reason ]
Fix CVE-2026-33205

[ Impact ]
A Server-Side Request Forgery vulnerability is unfixed.

[ Tests ]
Build time automated test was successful.

[ Risks ]
Not well tested on bookworm machine.

Calibre v6.13.0 code is differ from current upstream code, so I rewrite the
patch for v6.13.0. (Big change was happen in v7.6.0)
This means the fix is less reliable than trixie's fix.
Please review more carefully than trixie's CVE-2026-33205 fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Fix CVE-2026-33205

[ Other info ]
* Server-Side Request Forgery in ebook viewer backend
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
* E-book viewer: prevent reading background images
https://github.com/kovidgoyal/calibre/commit/6eb7b5458f183c8a037e9d7dac428122a77204e4
* Examine this fix from online
https://github.com/debian-
calibre/calibre/compare/debian/6.13.0+repack-2+deb12u8...bookworm-update

#1138069#12
Date:
2026-05-28 20:01:09 UTC
From:
To:
Hi,

Please go ahead.

Thanks,

#1138069#19
Date:
2026-05-29 02:48:32 UTC
From:
To:
Hello,

Thank you.
I was uploaded.

#1138069#24
Date:
2026-05-31 11:57:54 UTC
From:
To:
package release.debian.org
tags 1138069 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: calibre
Version: 6.13.0+repack-2+deb12u9

Explanation: prevent reading background images from outside the config dir [CVE-2026-33205]

#1138069#29
Date:
2026-05-31 11:57:54 UTC
From:
To:
package release.debian.org
tags 1138069 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: calibre
Version: 6.13.0+repack-2+deb12u9

Explanation: prevent reading background images from outside the config dir [CVE-2026-33205]