Description: TODO: Put a short summary on the line above and replace this paragraph with a longer explanation of this change. Complete the meta-information with other relevant fields (see below for details). To make it easier, the information below has been extracted from the changelog. Adjust it or drop it. . calibre (5.12.0+dfsg-1+deb11u3) bullseye-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2021-44686: Regular Expression Denial of Service * CVE-2023-46303: HTML Input: Don't add resources that exist outside the document root by default Author: Adrian Bunk --- The information above should follow the Patch Tagging Guidelines, please checkout https://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: (upstream|backport|vendor|other), (|commit:) Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: (no|not-needed|) Applied-Upstream: , (|commit:) Reviewed-By: Last-Update: 2026-02-26 --- a/src/calibre/ebooks/conversion/plugins/epub_input.py +++ b/src/calibre/ebooks/conversion/plugins/epub_input.py @@ -65,13 +65,15 @@ class EPUBInput(InputFormatPlugin): try: root = etree.parse(encfile) + base = os.path.dirname(encfile) + container_base = os.path.dirname(base) for em in root.xpath('descendant::*[contains(name(), "EncryptionMethod")]'): algorithm = em.get('Algorithm', '') if algorithm not in {ADOBE_OBFUSCATION, IDPF_OBFUSCATION}: return False cr = em.getparent().xpath('descendant::*[contains(name(), "CipherReference")]')[0] uri = cr.get('URI') - path = os.path.abspath(os.path.join(os.path.dirname(encfile), '..', *uri.split('/'))) + path = os.path.abspath(os.path.join(base, '..', *uri.split('/'))) tkey = (key if algorithm == ADOBE_OBFUSCATION else idpf_key) if (tkey and os.path.exists(path)): self._encrypted_font_uris.append(uri)