ASA-201803-8 log generated external raw

[ASA-201803-8] calibre: arbitrary command execution
Arch Linux Security Advisory ASA-201803-8 ========================================= Severity: High Date : 2018-03-11 CVE-ID : CVE-2018-7889 Package : calibre Type : arbitrary command execution Remote : Yes Link : Summary ======= The package calibre before version 3.19.0-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 3.19.0-1. # pacman -Syu "calibre>=3.19.0-1" The problem has been fixed upstream in version 3.19.0. Workaround ========== None. Description =========== gui2/viewer/ in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. Impact ====== A remote attacker is able to execute arbitrary commands by tricking the user into importing a specially crafted bookmark. References ==========