Using calibre safely?
sktsee
sktseer at gmail.com
Wed Nov 30 13:26:49 UTC 2011
On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun at oneil.me.uk> wrote:
>> Hi Kevin,
>>
>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>
>>> For a few months now I've been using calibre to access the 100-or-so
>>> ebooks that I have (mostly DRM-free PDFs).
>>> I just became aware of a vulnerability built in to calibre.
>>> I am not enormously worried because this is a one-user system, and the
>>> vulnerability seems to involve privilege
>>> escalation by authorized users.
>>
>> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>
> I'm not using the Ubuntu version, but instead I use the calibre python
> installer. I much prefer the modern version, and 10.04 LTS is just so
> out of date. So I'm going to have to roll my own security. I'll have
> a look at that launchpad bug.
>
http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
title: "Remove the suid mount helper used on linux and bsd, as it proved
impossible to make it secure."
This entry was under the version 0.8.25 section of calibre's changelog
and took effect 2011-11-06. The current version is 0.8.28 so that
particular issue has been remedied.
--
sktsee
More information about the ubuntu-users
mailing list