ArchLinux: 201803-8: calibre: arbitrary command execution
Summary
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
Resolution
Upgrade to 3.19.0-1.
# pacman -Syu "calibre>=3.19.0-1"
The problem has been fixed upstream in version 3.19.0.
References
https://bugs.launchpad.net/calibre/+bug/1753870 https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d https://security.archlinux.org/CVE-2018-7889
Workaround
None.