CVE-2019-17626

Priority
Description
ReportLab through 3.5.26 allows remote code execution because of
toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document
with '<span color="' followed by arbitrary Python code.
Assigned-to
mdeslaur
Notes
leosilvathe first commit in the bug, according to the comments
doesn't fix the bug, also it breaks some tests.
mdeslaurthe second commit uses a significant amount of code and may
not be licensed correctly.
See comment from Marek Kasik for minimal patch from Red Hat.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (3.3.0-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (3.4.0-3ubuntu0.1)
Ubuntu 19.10 (Eoan Ermine):released (3.5.23-1ubuntu0.1)
Ubuntu 20.04 (Focal Fossa):not-affected (3.5.34-1)
More Information

Updated: 2020-02-06 20:15:12 UTC (commit c275f74f55e22240eaacee65200bd481d0f37194)