Bug 26115 - python-reportlab new security issue CVE-2019-17626
Summary: python-reportlab new security issue CVE-2019-17626
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-21 20:02 CET by David Walser
Modified: 2020-01-28 08:54 CET (History)
4 users (show)

See Also:
Source RPM: python-reportlab-3.5.32-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-01-21 20:02:51 CET 
RedHat has issued an advisory today (January 21):
https://access.redhat.com/errata/RHSA-2020:0197

The issue is apparently fixed upstream in 3.5.34.

Mageia 7 is also affected.
David Walser 2020-01-21 20:03:00 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-01-21 20:26:23 CET 
Done for both Cauldron and mga7!
Comment 2 David Walser 2020-01-21 21:17:28 CET 
Advisory:
========================

Updated python-reportlab packages fix security vulnerability:

A code injection vulnerability in python-reportlab allows an attacker to
execute code while parsing a color attribute. An application that uses
python-reportlab to parse untrusted input files may be vulnerable to this flaw
and allow remote code execution (CVE-2019-17626).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17626
https://access.redhat.com/errata/RHSA-2020:0197
========================

Updated packages in core/updates_testing:
========================
python2-reportlab-3.5.34-1.mga7
python3-reportlab-3.5.34-1.mga7
python-reportlab-docs-3.5.34-1.mga7

from python-reportlab-3.5.34-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Len Lawrence 2020-01-22 11:34:33 CET 
Mageia7, x86_64

Django uses the reportlab library, also kraft and gourmet.

CVE-2019-17626
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
There is an XML file there which is supposed to expose the issue when used in a webserver transaction as far as I can gather.  No details about how to do that.

https://tante.cc/2008/11/18/howto-generate-barcodes-in-python-with-reportlab/ supplies a short python script which generates a barcode as a PDF file: /tmp/barcode_example.pdf.  That works fine before the update.

Updated the packages and ran the barcode example with python and python3.  Both PDFs looked perfect.  Leaving the tests there.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-01-22 18:43:27 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2020-01-27 17:58:16 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-28 08:54:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0059.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.