| Name | CVE-2025-64486 |
| Description | calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| calibre (PTS) | bullseye | 5.12.0+dfsg-1+deb11u2 | vulnerable |
| bullseye (security) | 5.12.0+dfsg-1+deb11u3 | vulnerable | |
| bookworm | 6.13.0+repack-2+deb12u4 | vulnerable | |
| trixie | 8.5.0+ds-1 | vulnerable | |
| forky | 8.15.0+ds+~0.10.5-1 | fixed | |
| sid | 8.15.0+ds+~0.10.5-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| calibre | source | (unstable) | 8.14.0+ds+~0.10.5-1 |
[trixie] - calibre <no-dsa> (Will be fixed via point update)
[bookworm] - calibre <no-dsa> (Will be fixed via point update)
[bullseye] - calibre <postponed> (Minor issue; fix after bookworm)
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
Fixed by: https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5 (v8.14.0)