Description: TODO: Put a short summary on the line above and replace this paragraph with a longer explanation of this change. Complete the meta-information with other relevant fields (see below for details). To make it easier, the information below has been extracted from the changelog. Adjust it or drop it. . calibre (5.12.0+dfsg-1+deb11u3) bullseye-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2021-44686: Regular Expression Denial of Service * CVE-2023-46303: HTML Input: Don't add resources that exist outside the document root by default Author: Adrian Bunk --- The information above should follow the Patch Tagging Guidelines, please checkout https://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: (upstream|backport|vendor|other), (|commit:) Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: (no|not-needed|) Applied-Upstream: , (|commit:) Reviewed-By: Last-Update: 2026-02-26 --- calibre-5.12.0+dfsg.orig/src/calibre/ebooks/odt/input.py +++ calibre-5.12.0+dfsg/src/calibre/ebooks/odt/input.py @@ -28,10 +28,16 @@ class Extract(ODF2XHTML): def extract_pictures(self, zf): if not os.path.exists('Pictures'): os.makedirs('Pictures') + base = os.path.abspath(os.getcwd()) + if not base.endswith(os.sep): + base += os.sep for name in zf.namelist(): if name.startswith('Pictures') and name not in {'Pictures', 'Pictures/'}: + dest = os.path.abspath(os.path.join(base, name)) + if os.path.commonprefix([base, dest]) != dest: + continue data = zf.read(name) - with open(name, 'wb') as f: + with open(dest, 'wb') as f: f.write(data) def apply_list_starts(self, root, log):