Bugzilla – Bug 1084602
VUL-0: CVE-2018-7889: calibre: Calls cPickle.load on imported bookmark/meta data, which allows remote attackers to execute arbitrary code
Last modified: 2018-03-09 23:30:19 UTC
gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported
bookmark data, which allows remote attackers to execute arbitrary code via a
crafted .pickle file, as demonstrated by Python code that contains an os.system
This is fixed in 3.19 which was released yesterday and will be soon in Factory.