[reportlab-users] Fix for CVE-2019-17626 python-reportlab
marius at gedmin.as
Wed Dec 11 02:48:02 EST 2019
On Tue, Dec 10, 2019 at 04:28:50PM +0000, Robin Becker wrote:
> Hi, it's true we have attempted to address CVE-2019-17626 and other
> uses of eval in the reportlab code.
> The first attempt failed. I failed to understand that removing
> __builtins__ from the globals passed in just made eval/exec put it
> back so that nothing really changed.
> I think that can be addressed by adding in a dummy __builtins__ and
> experiments show that at least the simple hole is closed. So that
> does not create any file.
Unfortunately clearing __builtins__ is not enough to make eval() safe:
Usually ast.literal_eval() is the best safe replacement if all you need
> On the other hand the current rather simplistic attempt at safety by
> looking at the globals in the module where safer_globals is called may
> not be safe enough.
> I'll try and commit some code tomorrow to address the main problem.
> On 09/12/2019 14:39, Riccardo Schirone wrote:
> > Hi,
> > Sorry for contacting you directly, but I already tried on the
> > reportlab-users at lists2.reportlab.com mailing list and got no reply.
> > I came across CVE-2019-17626 in python-reportlab, but I see no fix for it.
> > There is actually a commit that seems to try to solve the issue, but it does
> > not. Is there any other fix for that flaw?
> > Thanks a lot,
> >  https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
This instruction even it has its own Wikipedia entry. The Wikipedia entry
has been translated into 4 languages. I am not making this up!
-- lguest source code about the "cpuid" instruction
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: not available
More information about the reportlab-users