diff options
| author |   Eli Schwartz <eschwartz@gentoo.org> | 2024-07-30 23:49:37 -0400 |
|---|---|---|
| committer | Eli Schwartz <eschwartz@gentoo.org> | 2024-07-30 23:51:38 -0400 |
| commit | 34c67cbd5d13469221f14e46981a8e6a91fb2068 (patch) | |
| tree | 9d6fd50694ba30e9552d5ab1e06229e2e9a03f3b /app-text/calibre | |
| parent | app-text/calibre: add 7.16.0 (diff) | |
| download | gentoo-34c67cbd5d13469221f14e46981a8e6a91fb2068.tar.gz gentoo-34c67cbd5d13469221f14e46981a8e6a91fb2068.tar.bz2 gentoo-34c67cbd5d13469221f14e46981a8e6a91fb2068.zip | |
app-text/calibre: backport fix for CVE-2024-7008 to 5.44
Although 4 CVEs were fixed in 7.16.0, only one of them (relatively
minor) is present in 5.x.
Bug: https://bugs.gentoo.org/936961
Signed-off-by: Eli Schwartz <eschwartz@gentoo.org>
Diffstat (limited to 'app-text/calibre')
| -rw-r--r-- | app-text/calibre/calibre-5.44.0-r5.ebuild (renamed from app-text/calibre/calibre-5.44.0-r4.ebuild) | 2 | ||||
| -rw-r--r-- | app-text/calibre/files/calibre-5.44.0-xss-backport.patch | 33 |
2 files changed, 35 insertions, 0 deletions
diff --git a/app-text/calibre/calibre-5.44.0-r4.ebuild b/app-text/calibre/calibre-5.44.0-r5.ebuild index 2c00399d5c90..48b7aadde2b2 100644 --- a/app-text/calibre/calibre-5.44.0-r4.ebuild +++ b/app-text/calibre/calibre-5.44.0-r5.ebuild @@ -135,6 +135,8 @@ PATCHES=( "${FILESDIR}"/${P}-icu75.patch # backport test-only fix for lxml 5 "${FILESDIR}"/e9cc00560a28f56a303cca97630ab58e519dd9c8.patch + # Security backport for CVE-2024-7008 + "${FILESDIR}"/${P}-xss-backport.patch ) src_prepare() { diff --git a/app-text/calibre/files/calibre-5.44.0-xss-backport.patch b/app-text/calibre/files/calibre-5.44.0-xss-backport.patch new file mode 100644 index 000000000000..83bb8cca8cf5 --- /dev/null +++ b/app-text/calibre/files/calibre-5.44.0-xss-backport.patch @@ -0,0 +1,33 @@ +Changelog: + +Only relevant if you embed the calibre server within a larger server, it +means attackers who can convince users to click on a specially crafted +link, can run JavaScript code with the same origin as the larger server +calibre is embedded in. + +From e75f85919a3c3a5f2d87861050d8483d66561c06 Mon Sep 17 00:00:00 2001 +From: Kovid Goyal <kovid@kovidgoyal.net> +Date: Tue, 30 Jul 2024 13:40:21 +0530 +Subject: [PATCH] Fix #2075130 [Private + bug](https://bugs.launchpad.net/calibre/+bug/2075130) + +--- + src/calibre/srv/legacy.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py +index 055228ebee..85586b07a6 100644 +--- a/src/calibre/srv/legacy.py ++++ b/src/calibre/srv/legacy.py +@@ -255,7 +255,7 @@ def browse(ctx, rd, rest): + if rest.startswith('book/'): + # implementation of https://bugs.launchpad.net/calibre/+bug/1698411 + # redirect old server book URLs to new URLs +- redirect = ctx.url_for(None) + '#book_id=' + rest[5:] + "&panel=book_details" ++ redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) + "&panel=book_details" + from lxml import etree as ET + return html(ctx, rd, endpoint, + E.html(E.head( +-- +2.44.2 + |