Bug 29592

Summary: python-reportlab new security issue CVE-2020-28463
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-reportlab-3.6.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-10-25 19:14:55 CEST 
Fedora has issued an advisory on October 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HMUJA5GZTPQ5WRYUCCK2GEZM4W43N7HH/

The issue is fixed upstream in 3.6.2.

Mageia 8 is also affected.
David Walser 2021-10-25 19:15:12 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => geiger.david68210
Status comment: (none) => Fixed upstream in 3.6.2

Comment 1 Jani Välimaa 2021-11-13 12:02:56 CET 
Fixed in cauldron with python-reportlab-3.6.2-1.mga9.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => jani.valimaa

Comment 2 Jani Välimaa 2021-11-13 12:10:16 CET 
Pushed python-reportlab-3.6.2-1.mga8 to core/updates_testing. Please test.

SRPMS:
python-reportlab-3.6.2-1.mga8

RPMS:
python3-reportlab-3.6.2-1.mga8
python-reportlab-docs-3.6.2-1.mga8

Assignee: python => qa-bugs

David Walser 2021-11-13 12:22:11 CET

Status comment: Fixed upstream in 3.6.2 => (none)

Comment 3 Herman Viaene 2021-11-22 14:00:22 CET 
MGA8-64 Plasmaon Lenovo B50
No installation issues
Info reads "ReportLab library to create PDF documents using Python 3​"
OKon clean install as for other developer's libraries.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-11-23 17:44:53 CET 
Looked a little deeper at this one, and found in Bug 26115 that this library is used in a few applications.

$ urpmq --whatrequires python3-reportlab
hplip
kraft
noethys
ocrfeeder
python-reportlab-docs
python3-biopython
python3-reportlab
rst2pdf

Looking into hplip, I find python3-reportlab is only used for faxing. Testing that would require a willing recipient for a fax, not easy to find these days. Not much help there.

Kraft sounded interesting, but looking at the online documentation I see that while it used to use reportlab for templates, the developers have switched to a different library, keeping the reportlab dependency only for legacy purposes. No help there, either.

OCRfeeder sounds useful, so I went with that. Installing it didn't bring in python3-reportlab because it was already installed due to the hplip dependency. No installation issues, either with ocrfeeder, or with updating python3-reportlab.

Imported a jpg image into ocrfeeder, then exported it as a pdf. Did the same with output from a scanner.

Seems to be OK, just as Herman surmised. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-11-25 05:18:43 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-11-25 14:07:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0521.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED