Bug 26115

Summary: python-reportlab new security issue CVE-2019-17626
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-reportlab-3.5.32-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-01-21 20:02:51 CET 
RedHat has issued an advisory today (January 21):
https://access.redhat.com/errata/RHSA-2020:0197

The issue is apparently fixed upstream in 3.5.34.

Mageia 7 is also affected.
David Walser 2020-01-21 20:03:00 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-01-21 20:26:23 CET 
Done for both Cauldron and mga7!
Comment 2 David Walser 2020-01-21 21:17:28 CET 
Advisory:
========================

Updated python-reportlab packages fix security vulnerability:

A code injection vulnerability in python-reportlab allows an attacker to
execute code while parsing a color attribute. An application that uses
python-reportlab to parse untrusted input files may be vulnerable to this flaw
and allow remote code execution (CVE-2019-17626).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17626
https://access.redhat.com/errata/RHSA-2020:0197
========================

Updated packages in core/updates_testing:
========================
python2-reportlab-3.5.34-1.mga7
python3-reportlab-3.5.34-1.mga7
python-reportlab-docs-3.5.34-1.mga7

from python-reportlab-3.5.34-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Len Lawrence 2020-01-22 11:34:33 CET 
Mageia7, x86_64

Django uses the reportlab library, also kraft and gourmet.

CVE-2019-17626
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
There is an XML file there which is supposed to expose the issue when used in a webserver transaction as far as I can gather.  No details about how to do that.

https://tante.cc/2008/11/18/howto-generate-barcodes-in-python-with-reportlab/ supplies a short python script which generates a barcode as a PDF file: /tmp/barcode_example.pdf.  That works fine before the update.

Updated the packages and ran the barcode example with python and python3.  Both PDFs looked perfect.  Leaving the tests there.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-01-22 18:43:27 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2020-01-27 17:58:16 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-28 08:54:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0059.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED