[reportlab-users] Fix for CVE-2019-17626 python-reportlab

Marius Gedminas marius at gedmin.as
Wed Dec 11 02:48:02 EST 2019

On Tue, Dec 10, 2019 at 04:28:50PM +0000, Robin Becker wrote:
> Hi, it's true we have attempted to address CVE-2019-17626 and other
> uses of eval in the reportlab code.
> The first attempt failed. I failed to understand that removing
> __builtins__ from the globals passed in just made eval/exec put it
> back so that nothing really changed.
> I think that can be addressed by adding in a dummy __builtins__ and
> experiments show that at least the simple hole is closed. So that
> toColor('open("/tmp/dumbo.txt","wb").write("bah!")')
> does not create any file.

Unfortunately clearing __builtins__ is not enough to make eval() safe:

Usually ast.literal_eval() is the best safe replacement if all you need
is ints/floats/tuples/lists.

> On the other hand the current rather simplistic attempt at safety by
> looking at the globals in the module where safer_globals is called may
> not be safe enough.
> I'll try and commit some code tomorrow to address the main problem.
> On 09/12/2019 14:39, Riccardo Schirone wrote:
> > Hi,
> > 
> > Sorry for contacting you directly, but I already tried on the
> > reportlab-users at lists2.reportlab.com mailing list and got no reply.
> > 
> > I came across CVE-2019-17626 in python-reportlab[1], but I see no fix for it.
> > There is actually a commit that seems to try to solve the issue, but it does
> > not. Is there any other fix for that flaw?
> > 
> > Thanks a lot,
> > 
> > [1] https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code

Marius Gedminas
This instruction even it has its own Wikipedia entry.  The Wikipedia entry
has been translated into 4 languages.  I am not making this up!
                -- lguest source code about the "cpuid" instruction
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20191211/78636fca/attachment.sig>

More information about the reportlab-users mailing list