Bug 1417556 (CVE-2016-10187) - CVE-2016-10187 calibre: Javascript in the book can access files on the computer using XMLHttpRequest
Summary: CVE-2016-10187 calibre: Javascript in the book can access files on the comput...
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2016-10187
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1417557
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-30 09:26 UTC by Andrej Nemec
Modified: 2019-09-29 14:05 UTC (History)
8 users (show)

Fixed In Version: calibre 2.75.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-24 19:42:37 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-30 09:26:07 UTC
A vulnerability was found in Calibre. It was found that a javascript present in the book can access files on the computer using XMLHttpRequest.

Upstream patch:

https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c

Upstream bug:

https://bugs.launchpad.net/calibre/+bug/1651728

Comment 1 Andrej Nemec 2017-01-30 09:26:37 UTC
Created calibre tracking bugs for this issue:

Affects: fedora-all [bug 1417557]

Comment 2 Andrej Nemec 2017-02-01 08:41:17 UTC
CVE assignment:

http://seclists.org/oss-sec/2017/q1/242

Comment 3 Adam Hunt 2017-10-02 21:11:52 UTC
A fix for this CVE was merged in Calibre on 21/12/2016 and became part of version 3.1.1.

https://github.com/kovidgoyal/calibre/commit/3a89718664cb8c

Comment 4 Andrew Toskin 2019-05-24 18:48:36 UTC
If the fix was merged in Calibre 3.1.1, then we can probably close this ticket, right? 3.1.1 was a while ago.


Note You need to log in before you can comment on or make changes to this bug.