CVE-2019-17626

Published: 16 October 2019

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
python-reportlab
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.5.34-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.4.0-3ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.3.0-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Notes

AuthorNote
leosilva the first commit in the bug, according to the comments doesn't fix the bug, also it breaks some tests.
mdeslaur the second commit uses a significant amount of code and may not be licensed correctly. See comment from Marek Kasik for minimal patch from Red Hat.

References

Bugs