| Summary: | <dev-python/reportlab-3.5.42: code injection in colors.py allows attacker to execute code (CVE-2019-17626) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | lssndrbarbieri, mgorny, netbox253, poncho, python |
| Priority: | Normal | Flags: | nattka:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code | ||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: |
=dev-python/reportlab-3.5.42
|
Runtime testing required: | --- |
|
Description
GLSAMaker/CVETool Bot
2020-02-25 00:27:47 UTC
Upstream patch: https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3 Hi all,
Right now reportlab also seems to be holding back the pillow update:
These are the packages that would be merged, in order:
Calculating dependencies... done!
Total: 0 packages, Size of downloads: 0 KiB
WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:
dev-python/pillow:0
(dev-python/pillow-7.0.0:0/0::gentoo, ebuild scheduled for merge) USE="jpeg lcms tiff truetype zlib -doc -examples -imagequant -jpeg2k -test -tk -webp" ABI_X86="(64)" PYTHON_TARGETS="python3_6 -python3_7 (-python3_8)" conflicts with
dev-python/pillow[tiff,truetype,jpeg(+),python_targets_python2_7(-),python_targets_python3_6(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)] required by (dev-python/reportlab-3.5.13-r1:0/0::gentoo, installed) USE="-doc -examples" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_6 -python3_7 (-python3_8)"
Nothing to merge; quitting.
Thanks!
Seb
@maintainer(s): ping Maintainers, please take a look at creating an ebuild. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35 commit f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-22 09:01:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-22 09:03:58 +0000 dev-python/reportlab: Bump to 3.5.42 Bug: https://bugs.gentoo.org/710738 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/reportlab/Manifest | 1 + dev-python/reportlab/reportlab-3.5.42.ebuild | 59 ++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) Thanks mgorny. Let us know when ready for stabling as always I don't think this is a high-profile package, so feel free to stabilize anytime you want. Maybe wait a few days, just in case. (In reply to Michał Górny from comment #7) > I don't think this is a high-profile package, so feel free to stabilize > anytime you want. Maybe wait a few days, just in case. Agreed (decided to wait to reply to avoid clogging up the bug). Let's go for it now. arm stable ppc stable ppc64 stable sparc stable amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82b53492a843395480fa31cd0b098a532a3eef40 commit 82b53492a843395480fa31cd0b098a532a3eef40 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 01:24:52 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 01:24:52 +0000 dev-python/reportlab: drop vulnerable Bug: https://bugs.gentoo.org/710738 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/reportlab/Manifest | 1 - dev-python/reportlab/reportlab-3.5.13-r1.ebuild | 66 ------------------------- 2 files changed, 67 deletions(-) GLSA opened. This issue was resolved and addressed in GLSA 202007-35 at https://security.gentoo.org/glsa/202007-35 by GLSA coordinator Sam James (sam_c). |
