A KDE Dev finds a flaw in Calibre's mount system

[baggyeyes]

A KDE developer discovered a serious security flaw in the way Calibre mounts eBook readers and tablets. The resulting bug list discussion was surprising, to say the least.

http://blog.zx2c4.com/702

I have to say, even though the mount system was removed, I can't say I have much confidence in Calibre's developer right now.

Comments

[stormcloude]

This only affects people running Linux? Mac and Windows users are unaffected?

[jumpuphigh]

It affects a specific build of Linux. (Is that what they are called? I'm not a Linux user.) So if you use Mac or Windows, it doesn't affect you.

[(Anonymous)]

Calibre is extremely user friendly and massively flexible. It allows production of all the target types I'm likely to want, including direct input of lots of parameters that many would waste days experimenting with and still not get to work. If the problem only exists for Linux, then 'No Probs' as far as I'm concerned. Sorry the author has been unco-operative, but the problem only arose because he tried to get it to do so much.

For someone preparing fairly straightforward books, Calibre and its advice pages very carefully take you round all the hassles with graphics and the TOC, and even though it doesn't undertake to be an ideal 'first input' processor, only a handler, it's still brill for creation. OK, you might not like its handling flavour or in one case its security, but it's the best thing that's hit ebook production that I've seen.

As for eCub, this comment..

http://www.mobileread.com/forums/archive/index.php/t-47559.html

...mirrors my thoughts exactly, except I'd have expressed them more harshly. I'd never consider anything from that stable now. After my experience with the truly pathetic eCub, I was praying that something like Calibre would turn up, and amazingly it did.

[jumpuphigh]

*tilts head*
*squints*

Nope. Still can't figure out what this comment has to do with my answering stormcloude's questions. Did you mean to reply to my comment or to the post as a whole?

[valiha]

There are two things I find troubling with this comment:

1. the author thinks that since this issue is limited to Linux it's not a problem as far as they are concerned, and

2. they seem to think that the problem is that users don't like it's security, but that shouldn't matter because it's the best thing for ebook production in years.

Point one, I'm far from an expert, and I've only ever used Windows, but I'm hearing about Linux as a replacement for Windows more and more and not just in academic circles where I work, but as home use systems. Paired with the fact that calibre is the most popular ebook management and conversion system, that means home users might come across this problem.

Point two, as far as I'm concerned, it doesn't matter whether a program is pure gold in its design, implementation, whatever of everything else, if it exposes my computer to security issues, I would remove it without having a second thought about possibly losing the rest of its functionality. There's nothing that's as important to me as online security, and if I have to manually convert the enormous amounts of fic I've collected over the years, then by God I'll do it.

And I have to add this:

it would be really nice of you if you would sign your post if you don't have a Dreamwidth account and you're not willing to comment with an OpenID account. I've never been shy of expressing my opinions (favorable or not) under my own username, either here or at MobileRead, and will continue to do so.

Plus, if you've familiarized yourself with calibre and its help pages, you would know that the author of the program spells its name in lowercase.