[reportlab-users] Fix for CVE-2019-17626 python-reportlab
Marius Gedminas
marius at gedmin.as
Wed Dec 11 02:48:02 EST 2019
On Tue, Dec 10, 2019 at 04:28:50PM +0000, Robin Becker wrote:
> Hi, it's true we have attempted to address CVE-2019-17626 and other
> uses of eval in the reportlab code.
>
> The first attempt failed. I failed to understand that removing
> __builtins__ from the globals passed in just made eval/exec put it
> back so that nothing really changed.
>
> I think that can be addressed by adding in a dummy __builtins__ and
> experiments show that at least the simple hole is closed. So that
>
> toColor('open("/tmp/dumbo.txt","wb").write("bah!")')
>
> does not create any file.
Unfortunately clearing __builtins__ is not enough to make eval() safe:
https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
Usually ast.literal_eval() is the best safe replacement if all you need
is ints/floats/tuples/lists.
> On the other hand the current rather simplistic attempt at safety by
> looking at the globals in the module where safer_globals is called may
> not be safe enough.
>
> I'll try and commit some code tomorrow to address the main problem.
>
>
>
> On 09/12/2019 14:39, Riccardo Schirone wrote:
> > Hi,
> >
> > Sorry for contacting you directly, but I already tried on the
> > reportlab-users at lists2.reportlab.com mailing list and got no reply.
> >
> > I came across CVE-2019-17626 in python-reportlab[1], but I see no fix for it.
> > There is actually a commit that seems to try to solve the issue, but it does
> > not. Is there any other fix for that flaw?
> >
> > Thanks a lot,
> >
> > [1] https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
Regards,
Marius Gedminas
--
This instruction even it has its own Wikipedia entry. The Wikipedia entry
has been translated into 4 languages. I am not making this up!
-- lguest source code about the "cpuid" instruction
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20191211/78636fca/attachment.sig>
More information about the reportlab-users
mailing list