PublicDateAtUSN: 2019-10-16 12:15:00 UTC
Candidate: CVE-2019-17626
PublicDate: 2019-10-16 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17626
 https://bitbucket.org/rptlab/reportlab/src/default/CHANGES.md
 https://ubuntu.com/security/notices/USN-4273-1
Description:
 ReportLab through 3.5.26 allows remote code execution because of
 toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document
 with '<span color="' followed by arbitrary Python code.
Ubuntu-Description:
Notes:
 leosilva> the first commit in the bug, according to the comments
 leosilva> doesn't fix the bug, also it breaks some tests.
 mdeslaur> the second commit uses a significant amount of code and may
 mdeslaur> not be licensed correctly.
 mdeslaur> See comment from Marek Kasik for minimal patch from Red Hat.
Mitigation:
Bugs:
 https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_python-reportlab:
upstream_python-reportlab: needs-triage
precise/esm_python-reportlab: DNE
trusty_python-reportlab: ignored (out of standard support)
trusty/esm_python-reportlab: DNE
xenial_python-reportlab: released (3.3.0-1ubuntu0.1)
esm-infra/xenial_python-reportlab: released (3.3.0-1ubuntu0.1)
bionic_python-reportlab: released (3.4.0-3ubuntu0.1)
disco_python-reportlab: ignored (reached end-of-life)
eoan_python-reportlab: released (3.5.23-1ubuntu0.1)
devel_python-reportlab: not-affected (3.5.34-1)