Calibre contains an outdated embedded copy of Mozilla's WOFF code (in src/calibre/utils/fonts/woff/), which is known to have some security issues. 1) https://bugzilla.mozilla.org/show_bug.cgi?id=552216 (aka CVE-2010-1028) Patch: https://hg.mozilla.org/releases/mozilla-1.9.2/rev/827a6883442f 2) https://bugzilla.mozilla.org/show_bug.cgi?id=522308 Patch: https://hg.mozilla.org/mozilla-central/rev/69eb050f2c0a Mozilla's newest release does not contain the vulnerable code. Originally reported at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787085
Created calibre tracking bugs for this issue: Affects: fedora-all [bug 1226189]
Is there a shared library that could be used instead? (dnf search doesn't return anything useful.)
(In reply to Zbigniew Jędrzejewski-Szmek from comment #2) > Is there a shared library that could be used instead? (dnf search doesn't > return anything useful.) I couldn't find anything either. I suppose updating the embedded copy is the way to go. Other than that, you could propose a new package to be added to the repos.
The WOFF code has been removed from Calibre with version 2.34 (released on August 7, 2015). https://github.com/kovidgoyal/calibre/commit/f862513e830d27eab7613d2aaa6104d7a9c55d5a Fedora already packages newer versions of Calibre, so this should not be an issue any more.
Yep. this looks like it's no longer an issue...