CVE-2018-7889

Source
Severity High
Remote Yes
Type Arbitrary command execution
Description
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
Group Package Affected Fixed Severity Status Ticket
AVG-650 calibre 3.18.0-1 3.19.0-1 High Fixed
Date Advisory Group Package Severity Description
11 Mar 2018 ASA-201803-8 AVG-650 calibre High arbitrary command execution
References
https://bugs.launchpad.net/calibre/+bug/1753870
https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d