Subject: [ASA-201803-8] calibre: arbitrary command execution Arch Linux Security Advisory ASA-201803-8 ========================================= Severity: High Date : 2018-03-11 CVE-ID : CVE-2018-7889 Package : calibre Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-650 Summary ======= The package calibre before version 3.19.0-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 3.19.0-1. # pacman -Syu "calibre>=3.19.0-1" The problem has been fixed upstream in version 3.19.0. Workaround ========== None. Description =========== gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. Impact ====== A remote attacker is able to execute arbitrary commands by tricking the user into importing a specially crafted bookmark. References ========== https://bugs.launchpad.net/calibre/+bug/1753870 https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d https://security.archlinux.org/CVE-2018-7889