CVE-2018-7889

Name of the Vulnerable Software and Affected Versions: Calibre version 3.18

Description: The issue concerns the execution of arbitrary code via a crafted .pickle file. Specifically, the gui2/viewer/bookmarkmanager.py module in Calibre calls cPickle.load on imported bookmark data, allowing remote attackers to execute arbitrary code. This can be demonstrated by Python code that contains an os.system call.

Recommendations: For Calibre version 3.18, consider avoiding the use of cPickle.load on untrusted input until a patch is available. As a temporary workaround, restrict the import of bookmark data from untrusted sources to minimize the risk of exploitation.