CVE-2019-17626 (https://nvd.nist.gov/vuln/detail/CVE-2019-17626): ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
Upstream patch: https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3
Hi all, Right now reportlab also seems to be holding back the pillow update: These are the packages that would be merged, in order: Calculating dependencies... done! Total: 0 packages, Size of downloads: 0 KiB WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict: dev-python/pillow:0 (dev-python/pillow-7.0.0:0/0::gentoo, ebuild scheduled for merge) USE="jpeg lcms tiff truetype zlib -doc -examples -imagequant -jpeg2k -test -tk -webp" ABI_X86="(64)" PYTHON_TARGETS="python3_6 -python3_7 (-python3_8)" conflicts with dev-python/pillow[tiff,truetype,jpeg(+),python_targets_python2_7(-),python_targets_python3_6(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)] required by (dev-python/reportlab-3.5.13-r1:0/0::gentoo, installed) USE="-doc -examples" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_6 -python3_7 (-python3_8)" Nothing to merge; quitting. Thanks! Seb
@maintainer(s): ping
Maintainers, please take a look at creating an ebuild.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35 commit f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-22 09:01:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-22 09:03:58 +0000 dev-python/reportlab: Bump to 3.5.42 Bug: https://bugs.gentoo.org/710738 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/reportlab/Manifest | 1 + dev-python/reportlab/reportlab-3.5.42.ebuild | 59 ++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+)
Thanks mgorny. Let us know when ready for stabling as always
I don't think this is a high-profile package, so feel free to stabilize anytime you want. Maybe wait a few days, just in case.
(In reply to Michał Górny from comment #7) > I don't think this is a high-profile package, so feel free to stabilize > anytime you want. Maybe wait a few days, just in case. Agreed (decided to wait to reply to avoid clogging up the bug). Let's go for it now.
arm stable
ppc stable
ppc64 stable
sparc stable
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82b53492a843395480fa31cd0b098a532a3eef40 commit 82b53492a843395480fa31cd0b098a532a3eef40 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:24:52 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:24:52 +0000 dev-python/reportlab: drop vulnerable Bug: https://bugs.gentoo.org/710738 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/reportlab/Manifest | 1 - dev-python/reportlab/reportlab-3.5.13-r1.ebuild | 66 ------------------------- 2 files changed, 67 deletions(-)
GLSA opened.
This issue was resolved and addressed in GLSA 202007-35 at https://security.gentoo.org/glsa/202007-35 by GLSA coordinator Sam James (sam_c).
