CVE-2023-46303

NameCVE-2023-46303
Descriptionlink_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3862-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
calibre (PTS)jessie2.5.0+dfsg-1vulnerable
stretch2.75.1+dfsg-1vulnerable
buster3.39.1+dfsg-3vulnerable
bullseye5.12.0+dfsg-1+deb11u2vulnerable
bullseye (security)5.12.0+dfsg-1+deb11u3fixed
bookworm6.13.0+repack-2+deb12u4fixed
sid, trixie7.21.0+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
calibresourcejessie(unfixed)end-of-life
calibresourcestretch(unfixed)end-of-life
calibresourcebullseye5.12.0+dfsg-1+deb11u3DLA-3862-1
calibresourcebookworm6.13.0+repack-2+deb12u3
calibresource(unstable)6.19.1-1

Notes

[buster] - calibre <no-dsa> (Minor issue)
https://github.com/0x1717/ssrf-via-img
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b (v6.19.0)

Search for package or bug name: Reporting problems