Launchpad CVE tracker

CVE 2018-7889

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

Related bugs and status

CVE-2018-7889 (Candidate) is related to these bugs:

Bug #1753870: Code Execution in Calibre as a resut of the use of Pickle

Summary				In	Importance	Status
	1753870	Code Execution in Calibre as a resut of the use of Pickle		calibre	Undecided	Invalid

Bug #1758699: [CVE] JavaScript in a book can access local files using XMLHttpRequest

		In	Importance	Status
1758699	[CVE] JavaScript in a book can access local files using XMLHttpRequest	calibre (Ubuntu)	Medium	Fix Released
1758699	[CVE] JavaScript in a book can access local files using XMLHttpRequest	calibre (Ubuntu Xenial)	Medium	Fix Released
1758699	[CVE] JavaScript in a book can access local files using XMLHttpRequest	calibre (Ubuntu Trusty)	Medium	Fix Released
1758699	[CVE] JavaScript in a book can access local files using XMLHttpRequest	calibre (Ubuntu Artful)	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2018-7889

References