-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 25 May 2026 08:19:53 +0900 Source: calibre Architecture: source Version: 8.5.0+ds-1+deb13u3 Distribution: trixie Urgency: medium Maintainer: Calibre maintainer team Changed-By: YOKOTA Hiroshi Closes: 1135543 Changes: calibre (8.5.0+ds-1+deb13u3) trixie; urgency=medium . * Fix security vulnerabilities and code quality issues (Closes: #1135543) * CVE-2026-30853: RB Input: Ensure files are extracted within container dir * CVE-2026-33205 (1/2): E-book viewer: prevent reading background images from outside the config dir * CVE-2026-33205 (2/2): E-book viewer: Disallow background images from the internet. This was an unused feature anyway * CVE-2026-33206: TXT Input: Ensure resource files are read only from book contents Checksums-Sha1: 7860dfcfecf1c9836bf3a0d313cb8f4b4ea199ce 3681 calibre_8.5.0+ds-1+deb13u3.dsc 92006444859ce3a071d98ee164711b3dd88e9cf7 895400 calibre_8.5.0+ds-1+deb13u3.debian.tar.xz 6119fa9753e877bb8030920c298d204a28f9c5f8 23916 calibre_8.5.0+ds-1+deb13u3_source.buildinfo Checksums-Sha256: 259786eb12734e4ab6a714ab4b06fa9d90bb923c4424e3138d1b6ad057436dc6 3681 calibre_8.5.0+ds-1+deb13u3.dsc 228513db804f75762cad9591aa1ec1fd91b8b1a6ff5c3c12abe9ccb4d5c5fed5 895400 calibre_8.5.0+ds-1+deb13u3.debian.tar.xz 048f06bc137fa90135a9abcec20a4b47e9e45788fbb8d80ecc2c6f44210774e0 23916 calibre_8.5.0+ds-1+deb13u3_source.buildinfo Files: 2c2f864e2e30683f569109517f0614d4 3681 text optional calibre_8.5.0+ds-1+deb13u3.dsc 53e8503a3559155a527aadb408aaabfb 895400 text optional calibre_8.5.0+ds-1+deb13u3.debian.tar.xz be764f9cc66d1604b72b0aa9b82e75ef 23916 text optional calibre_8.5.0+ds-1+deb13u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmodMmgWHHlva290YS5o Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyjHKD/9tzyYBjC6F56Ksnn/eKVgZHYUG eirk86rs+uhlS2vQ/QDtQ3i7MLuvrnDeRpxsxnNppRDFQTVhdlKUd+MNJ6Msium6 zU8DWA5IAKNgLX1NMOCbCuADGUfi2efTjbFkNdmKKZVQXtSBwyXDgf9yWBA8LHCv FhxjefioUvTAk6l4QY4vtj8b7Q27xnb0pedsxNLhr8rH/Kw6DlEk4QItL183TPf0 sO3sopIBimWtyVWSbMoneGk0VqhalNtiCZP7z555BfYgBUEADAUuF+dgRdkDO4hu VODIo9SnHnFQ/5LPDKluiQntJ7BOX46P8tp3B6PuSblOjUOCVrak1lMcyzLtMdTX /y6yFi6KzOrYRQyDorTsSpaULPO1YgZifSKqAxb5O9+xVlM+XZKhDVv1rdyTddtc FK4VXulQPqn/x+kpkI5HHqiFirS8pNyVk8BQ0VMmKJS6+NWFobgS89UjFBMOCBhf Pcb3Yz+lREH/jyjjDXSfUyWSTd7q163rbEGx4DSOt3G6fF6ZhUS3qQvvnDGM/Ao/ gLGjt9XKyMwq8af3zB69sbREff3a/QzyNoJy+75/RogWMkHQZeBhRRgV9bL05R5s fkZYYLb756mfDF/qjXphFtAvElVdj9eePMXXD6twitTOuNqjZimah5GNWFdMkM// CU+6FnATt4HDmYvfuA== =AQgN -----END PGP SIGNATURE-----