Calibre and setuid
Calibre and setuid
Posted Nov 4, 2011 17:27 UTC (Fri) by joey (guest, #328)Parent article: Calibre and setuid
Astoundingly the train wreck is still going on in the bug report a day after this article was posted.
When I took a brief look at calibre, I found copyright violations in its test suite. http://bugs.debian.org/640021
When I took a brief look at calibre, I found copyright violations in its test suite. http://bugs.debian.org/640021
Its plugin updater seems generally insecure; plugins are downloaded from a third-party website, without encryption or validation. (There is a pleasant warning that "Plugins can contain a virus/malware.")
http://bugs.debian.org/640026
As LWN previously noted, Calibre phones home with a UUID on startup.
http://lwn.net/Articles/456504/ (disabled in Debian/Ubuntu)
Wouldn't touch this with a barge pole.