Calibre Path Traversal Vulnerability in PDB Readers Allowing Arbitrary File Writes and Potential Code Execution

A path traversal vulnerability has been identified in Calibre, a cross-platform e-book management application. This vulnerability affects versions through 9.2.1 and arises in the PDB eReader component, specifically within both the 132-byte and 202-byte header variants. The issue allows for arbitrary file writes with any extension and content, wherever the user has write permissions. Files are overwritten without warning, which could lead to file corruption, potential code execution, and a denial-of-service condition. The vulnerability is triggered when a malicious PDB file is converted using the Calibre GUI.

Impact

Exploitation of this vulnerability could result in unauthorized file writes, overwriting existing files, and potential execution of malicious scripts, such as batch files, that could disrupt normal system operations or cause other harm.

Reproduction

To reproduce this vulnerability, create a PDB file that includes image records with traversal paths in the name field and arbitrary content in the data field. Once the PDB file is prepared, convert it using the Calibre GUI. The conversion process will trigger the path traversal vulnerability, allowing the specified content to be written to the traversed path, overwriting any existing files.

Remediation

Users can update to Calibre version 9.3.0 or later, where this vulnerability has been fixed.