Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710738 (CVE-2019-17626) - <dev-python/reportlab-3.5.42: code injection in colors.py allows attacker to execute code (CVE-2019-17626)
Summary: <dev-python/reportlab-3.5.42: code injection in colors.py allows attacker to ...
Status: RESOLVED FIXED
Alias: CVE-2019-17626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bitbucket.org/rptlab/reportla...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-25 00:27 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-27 00:36 UTC (History)
5 users (show)

See Also:
Package list:
=dev-python/reportlab-3.5.42
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:27:47 UTC
CVE-2019-17626 (https://nvd.nist.gov/vuln/detail/CVE-2019-17626):
  ReportLab through 3.5.26 allows remote code execution because of
  toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document
  with '<span color="' followed by arbitrary Python code.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-02-25 00:28:45 UTC
Upstream patch:

https://hg.reportlab.com/hg-public/reportlab/rev/51a521ad7dd3
Comment 2 Sebastian 2020-03-27 07:54:19 UTC
Hi all,

Right now reportlab also seems to be holding back the pillow update:

These are the packages that would be merged, in order:

Calculating dependencies... done!

Total: 0 packages, Size of downloads: 0 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-python/pillow:0

  (dev-python/pillow-7.0.0:0/0::gentoo, ebuild scheduled for merge) USE="jpeg lcms tiff truetype zlib -doc -examples -imagequant -jpeg2k -test -tk -webp" ABI_X86="(64)" PYTHON_TARGETS="python3_6 -python3_7 (-python3_8)" conflicts with
    dev-python/pillow[tiff,truetype,jpeg(+),python_targets_python2_7(-),python_targets_python3_6(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)] required by (dev-python/reportlab-3.5.13-r1:0/0::gentoo, installed) USE="-doc -examples" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_6 -python3_7 (-python3_8)"
                                                                                                                                                                                                                                                


Nothing to merge; quitting.

Thanks!
Seb
Comment 3 Sam James archtester gentoo-dev Security 2020-04-25 13:02:19 UTC
@maintainer(s): ping
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2020-05-22 01:30:21 UTC
Maintainers, please take a look at creating an ebuild.
Comment 5 Larry the Git Cow gentoo-dev 2020-05-22 09:04:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35

commit f7b5c93f075e2d089c65dc56a13b2f1ccb1b8a35
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-22 09:01:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-22 09:03:58 +0000

    dev-python/reportlab: Bump to 3.5.42
    
    Bug: https://bugs.gentoo.org/710738
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/reportlab/Manifest                |  1 +
 dev-python/reportlab/reportlab-3.5.42.ebuild | 59 ++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2020-05-22 09:30:38 UTC
Thanks mgorny. Let us know when ready for stabling as always
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 11:41:22 UTC
I don't think this is a high-profile package, so feel free to stabilize anytime you want.  Maybe wait a few days, just in case.
Comment 8 Sam James archtester gentoo-dev Security 2020-06-04 16:58:52 UTC
(In reply to Michał Górny from comment #7)
> I don't think this is a high-profile package, so feel free to stabilize
> anytime you want.  Maybe wait a few days, just in case.

Agreed (decided to wait to reply to avoid clogging up the bug). Let's go for it now.
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-06 17:29:58 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-06-06 17:32:51 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-06-06 20:13:34 UTC
ppc64 stable
Comment 12 Rolf Eike Beer 2020-06-06 20:45:27 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-06-07 08:45:46 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-06-07 08:49:04 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Larry the Git Cow gentoo-dev 2020-06-20 01:25:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82b53492a843395480fa31cd0b098a532a3eef40

commit 82b53492a843395480fa31cd0b098a532a3eef40
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 01:24:52 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 01:24:52 +0000

    dev-python/reportlab: drop vulnerable
    
    Bug: https://bugs.gentoo.org/710738
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/reportlab/Manifest                   |  1 -
 dev-python/reportlab/reportlab-3.5.13-r1.ebuild | 66 -------------------------
 2 files changed, 67 deletions(-)
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-20 01:26:08 UTC
GLSA opened.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:36:10 UTC
This issue was resolved and addressed in
 GLSA 202007-35 at https://security.gentoo.org/glsa/202007-35
by GLSA coordinator Sam James (sam_c).