Using calibre safely?
Kevin O'Gorman
kogorman at gmail.com
Wed Nov 30 17:22:28 UTC 2011
On Wed, Nov 30, 2011 at 5:26 AM, sktsee <sktseer at gmail.com> wrote:
> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>
>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun at oneil.me.uk> wrote:
>>>
>>> Hi Kevin,
>>>
>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>
>>>> For a few months now I've been using calibre to access the 100-or-so
>>>> ebooks that I have (mostly DRM-free PDFs).
>>>> I just became aware of a vulnerability built in to calibre.
>>>> I am not enormously worried because this is a one-user system, and the
>>>> vulnerability seems to involve privilege
>>>> escalation by authorized users.
>>>
>>>
>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>> (since 10.10), or most other distros. The 'helper' was replaced by the
>>> packager by something which better integrated with the methods Ubuntu uses
>>> for mounting disks - see
>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>
>>
>> I'm not using the Ubuntu version, but instead I use the calibre python
>> installer. I much prefer the modern version, and 10.04 LTS is just so
>> out of date. So I'm going to have to roll my own security. I'll have
>> a look at that launchpad bug.
>>
>
> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>
> title: "Remove the suid mount helper used on linux and bsd, as it proved
> impossible to make it secure."
>
> This entry was under the version 0.8.25 section of calibre's changelog and
> took effect 2011-11-06. The current version is 0.8.28 so that particular
> issue has been remedied.
>
Not really. Natty shows version 0.7.44 in the repositories. The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.
I guess I'll just delete it each time I upgrade.
--
Kevin O'Gorman, PhD
More information about the ubuntu-users
mailing list