[CVE] JavaScript in a book can access local files using XMLHttpRequest

Bug #1758699 reported by Simon Quigley on 2018-03-25
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre (Ubuntu)
Medium
Unassigned
Trusty
Medium
Simon Quigley
Xenial
Medium
Simon Quigley
Artful
Medium
Simon Quigley

Bug Description

For CVE-2016-10187:
The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with JavaScript.

For CVE-2018-7889:
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

CVE References

Simon Quigley (tsimonq2) on 2018-03-25
Changed in calibre (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in calibre (Ubuntu Trusty):
importance: Undecided → Medium
Changed in calibre (Ubuntu Xenial):
importance: Undecided → Medium
Changed in calibre (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
Simon Quigley (tsimonq2) wrote :

I have uploaded these fixes (for Xenial and Trusty) to a fresh test PPA of mine with all architectures switched on and only the security repo enabled. I then tested both in VMs of each release, and they work as intended. It also fixes the security issue.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878700/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8878706/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Changed in calibre (Ubuntu Trusty):
status: New → In Progress
Changed in calibre (Ubuntu Xenial):
status: New → In Progress
Simon Quigley (tsimonq2) wrote :

Marc Deslauriers pointed out to me over IRC that Trusty and Xenial are also vulnerable to CVE-2018-7889.

So Trusty and Xenial need to receive patches for CVE-2016-10187 and CVE-2018-7889 while Artful just needs the patch for CVE-2018-7889.

I think it makes sense to mark the separate bug I filed for CVE-2018-7889 a duplicate of this one.

I'll update my PPA and test with this new information, and I'll report back.

Thanks!

description: updated
Simon Quigley (tsimonq2) on 2018-03-27
Changed in calibre (Ubuntu Artful):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Simon Quigley (tsimonq2)
Simon Quigley (tsimonq2) wrote :

No candidate patches, yet.

Changed in calibre (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in calibre (Ubuntu Xenial):
status: In Progress → Confirmed
Simon Quigley (tsimonq2) wrote :

I have reached a point where I would like some guidance as to the contents of the patch for the CVE-2018-7889 Trusty backport.

So, this is the line in src/calibre/gui2/viewer/bookmarkmanager.py that has been patched upstream for this:

     def item_to_bm(self, item):
- return cPickle.loads(bytes(item.data(Qt.UserRole)))
+ return item.data(Qt.UserRole).copy()

( https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d )

Here is my attempt to backport it:

     def item_to_bm(self, item):
- return cPickle.loads(bytes(item.data(Qt.UserRole).toPyObject()))
+ return item.data(Qt.UserRole).copy()

This errors out on runtime with this error: "AttributeError: 'QVariant' object has no attribute 'copy'"

I tried changing "return item.data(Qt.UserRole).copy()" to "return item.data(Qt.UserRole).toPyObject().copy()" but I'm thrown "TypeError: key PyQt4.QtCore.QString(u'pos') is not a string"

I expect that there are somewhat significant codebase differences due to the fact that Trusty is based off of PyQt4 while Bionic is based off of PyQt5, but I am a bit stumped at why this error would be thrown.

I've subscribed Marc directly because I have worked with him on this (briefly, via IRC), and I'm a bit out of time at the moment (18.04 is near) to be researching old PyQt4 syntax, but if I'm missing something obvious, please yell.

Thanks.

Simon Quigley (tsimonq2) wrote :

In the meantime, I have updated my PPA with working fixes (I tested each in a fresh VM; they work as intended and fix the security issue) for Xenial and Artful.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8981311/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8981308/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 2.55.0+dfsg-1ubuntu0.2

---------------
calibre (2.55.0+dfsg-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: JavaScript in a book can access local files using
    XMLHttpRequest (LP: #1758699).
    - fix-CVE-2016-10187.patch
    - CVE-2016-10187
  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON.
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Wed, 11 Apr 2018 23:50:09 -0500

Changed in calibre (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 3.7.0+dfsg-2ubuntu0.1

---------------
calibre (3.7.0+dfsg-2ubuntu0.1) artful-security; urgency=medium

  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON (LP: #1758699).
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Thu, 12 Apr 2018 00:02:07 -0500

Changed in calibre (Ubuntu Artful):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package calibre - 1.25.0+dfsg-1ubuntu1.2

---------------
calibre (1.25.0+dfsg-1ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: JavaScript in a book can access local files using
    XMLHttpRequest (LP: #1758699).
    - fix-CVE-2016-10187.patch
    - CVE-2016-10187
  * SECURITY UPDATE: Malicious code execution when using CPickle instead of
    JSON (LP: #1758699).
    - fix-CVE-2018-7889.patch
    - CVE-2018-7889

 -- Simon Quigley <email address hidden> Thu, 12 Apr 2018 16:06:17 -0500

Changed in calibre (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers