Bug 1193469 - (CVE-2021-44686) VUL-1: CVE-2021-44686: calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in html_preprocess_rules in ebooks/conversion/preprocess.py.
(CVE-2021-44686)
VUL-1: CVE-2021-44686: calibre before 5.32.0 contains a regular expression th...
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/316416/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-07 10:42 UTC by Carlos López
Modified: 2022-03-19 11:56 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-07 10:42:41 UTC
CVE-2021-44686

calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS
(Regular Expression Denial of Service) in html_preprocess_rules in
ebooks/conversion/preprocess.py.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44686
http://www.cvedetails.com/cve/CVE-2021-44686/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44686
https://github.com/dwisiswant0/advisory/issues/18
https://github.com/kovidgoyal/calibre/compare/v5.31.1...v5.32.0
https://bugs.launchpad.net/calibre/+bug/1951979
Comment 1 Carlos López 2021-12-07 10:44:14 UTC
Affected codestreams:
 - openSUSE:Backports:SLE-15-SP2
 - openSUSE:Leap:15.2
 - openSUSE:Leap:15.3
 - openSUSE:Leap:15.4

Fix already introduced in openSUSE:Factory. Upstream commit:
https://github.com/kovidgoyal/calibre/commit/235b7e38c197ba4a3c17531e516610af8795e348
Comment 2 Andreas Stieger 2022-03-19 11:56:26 UTC
we were are 3.48.0 or later