Skip to content

[Backport release-25.11] calibre: backport multiple CVE patches#496499

Open
sempiternal-aurora wants to merge 4 commits intoNixOS:release-25.11from
sempiternal-aurora:calibre-cve-backport
Open

[Backport release-25.11] calibre: backport multiple CVE patches#496499
sempiternal-aurora wants to merge 4 commits intoNixOS:release-25.11from
sempiternal-aurora:calibre-cve-backport

Conversation

@sempiternal-aurora
Copy link
Contributor

@sempiternal-aurora sempiternal-aurora commented Mar 4, 2026
edited
Loading

Manually backporting CVE fixes to #494339 #494340 #495148 #496127 because the unstable version bump to 9.4.0 isn't suitable for backporting imo.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@sempiternal-aurora
calibre: apply fix for CVE-2026-26064
eda05a6 
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-26064
Upstream advisory: GHSA-72ch-3hqc-pgmp
Nix security tracking issue: https://tracker.security.nixos.org/issues/NIXPKGS-2026-0326

Fixes NixOS#494339

Not-cherry-picked-because: unstable version bump not suitable for backport
@sempiternal-aurora
calibre: apply fix for CVE-2026-26065
75c7832 
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-26065
Upstream advisory: GHSA-vmfh-7mr7-pp2w
Nix security tracking issue: https://tracker.security.nixos.org/issues/NIXPKGS-2026-0327

Fixes NixOS#494340

Not-cherry-picked-because: unstable version bump not suitable for backport
@sempiternal-aurora
calibre: apply fix for CVE-2026-27810
a96c6c9 
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-27810
Upstream advisory: GHSA-5fpj-fxw7-8grw
Nix security tracking issue: https://tracker.security.nixos.org/issues/NIXPKGS-2026-0485

Fixes NixOS#495148

Not-cherry-picked-because: unstable version bump not suitable for backport
@sempiternal-aurora
calibre: apply fix for CVE-2026-27824
59903d8 
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-27824
Upstream advisory: GHSA-vhxc-r7v8-2xrw
Nix security tracking issue: https://tracker.security.nixos.org/issues/NIXPKGS-2026-0504

Fixes NixOS#496127

Not-cherry-picked-because: unstable version bump not suitable for backport
github-actions[bot]
github-actions bot requested changes Mar 4, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Important

eda05a6 is not a cherry-pick, because: unstable version bump not suitable for backport. Please review this commit manually.

Important

75c7832 is not a cherry-pick, because: unstable version bump not suitable for backport. Please review this commit manually.

Important

a96c6c9 is not a cherry-pick, because: unstable version bump not suitable for backport. Please review this commit manually.

Important

59903d8 is not a cherry-pick, because: unstable version bump not suitable for backport. Please review this commit manually.

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

@nixpkgs-ci nixpkgs-ci bot requested a review from pSub March 4, 2026 07:01
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 4.workflow: backport This targets a stable branch labels Mar 4, 2026
@sempiternal-aurora sempiternal-aurora added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 4, 2026
@Stebalien Stebalien mentioned this pull request Mar 4, 2026
Merged
13 tasks
@Stebalien
Copy link
Contributor

Stebalien commented Mar 4, 2026

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 496499
Commit: 59903d8cf6a9bce586a1dc6cd2eb1eb4ff1979cf

x86_64-linux

✅ 2 packages built:
  • calibre
  • unbook

@Stebalien
Copy link
Contributor

Stebalien commented Mar 4, 2026
edited
Loading

I've tested the main program and the server, and they both seem to work properly.

I've also checked all the CVEs and these seem to be the correct patches.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Mar 4, 2026
@nixos-discourse
Copy link

nixos-discourse commented Mar 7, 2026

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2843

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

@pSub pSub Awaiting requested review from pSub

+1 more reviewer

@Stebalien Stebalien Stebalien approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sempiternal-aurora @Stebalien @nixos-discourse