Using calibre safely?

Kevin O'Gorman kogorman at gmail.com
Wed Nov 30 17:22:28 UTC 2011


On Wed, Nov 30, 2011 at 5:26 AM, sktsee <sktseer at gmail.com> wrote:
> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>
>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun at oneil.me.uk>  wrote:
>>>
>>> Hi Kevin,
>>>
>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>
>>>> For a few months now I've been using calibre to access the 100-or-so
>>>> ebooks that I have (mostly DRM-free PDFs).
>>>> I just became aware of a vulnerability built in to calibre.
>>>> I am not enormously worried because this is a one-user system, and the
>>>> vulnerability seems to involve privilege
>>>> escalation by authorized users.
>>>
>>>
>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>> (since 10.10), or most other distros.  The 'helper' was replaced by the
>>> packager by something which better integrated with the methods Ubuntu uses
>>> for mounting disks - see
>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>
>>
>> I'm not using the Ubuntu version, but instead I use the calibre python
>> installer.  I much prefer the modern version, and 10.04 LTS is just so
>> out of date.  So I'm going to have to roll my own security.  I'll have
>> a look at that launchpad bug.
>>
>
> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>
> title: "Remove the suid mount helper used on linux and bsd, as it proved
> impossible to make it secure."
>
> This entry was under the version 0.8.25 section of calibre's changelog and
> took effect 2011-11-06. The current version is 0.8.28 so that particular
> issue has been remedied.
>

Not really.  Natty shows version 0.7.44 in the repositories.  The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.

I guess I'll just delete it each time I upgrade.

-- 
Kevin O'Gorman, PhD




More information about the ubuntu-users mailing list