Your message dated Thu, 24 Aug 2023 09:25:46 +0000
with message-id <[email protected]>
and subject line Bug#961524: fixed in python-reportlab 4.0.4-11
has caused the Debian Bug report #961524,
regarding python-reportlab: Unsafe exec in reportlab.platypus.Macro
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
961524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961524
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-reportlab
Version: 3.1.8-3+deb8u2, 3.3.0-2+deb9u1, 3.5.13-1+deb10u1
Hi,
When I was reviewing the patch for CVE-2019-17626, the upstream fix:
https://github.com/MrBitBucket/reportlab-mirror/commit/de97afeae2adfaf129d577932caf2e455be8e606#diff-cbe131c773b3a48a9f14c3f3475dabd0L758
also
fix an unsafe exec call.
class Macro(Flowable):
"""This is not actually drawn (i.e. it has zero height)
but is executed when it would fit in the frame. Allows direct
access to the canvas through the object 'canvas'"""
def __init__(self, command):
self.command = command
def __repr__(self):
return "Macro(%s)" % repr(self.command)
def wrap(self, availWidth, availHeight):
return (0,0)
def draw(self):
- exec(self.command, safer_globals(), {'canvas':self.canv})
+ rl_safe_exec(self.command, g=None, l={'canvas':self.canv})
Due to license issue and hard-to-audit code introduced, the Debian's patch
do not follow this upstream fix, which means rl_safe_exec is not involved
in Debian packages.
So, I'm able to trigger this unsafe exec by this code when using Debian
packages version 3.1.8-3+deb8u2, 3.3.0-2+deb9u1, 3.5.13-1+deb10u1:
>>> from reportlab.platypus import Macro
>>> x=Macro("open('test.txt','w').write('ok')")
>>> x.canv=None
>>> x.draw()
# ls test.txt
test.txt
----
However, with latest pip version, exception is generated:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Python38\lib\site-packages\reportlab\platypus\flowables.py",
line 758, in draw
rl_safe_exec(self.command, g=None, l={'canvas':self.canv})
File "C:\Python38\lib\site-packages\reportlab\lib\rl_safe_eval.py",
line 1334, in __call__
return self.env.__rl_safe_eval__(expr, g, l, self.mode, timeout=timeout,
File "C:\Python38\lib\site-packages\reportlab\lib\rl_safe_eval.py",
line 1318, in __rl_safe_eval__
return eval(bcode,G,L)
File "<string>", line 1, in <module>
File "C:\Python38\lib\site-packages\reportlab\lib\rl_safe_eval.py",
line 1041, in <lambda>
__rl_builtins__['__rl_apply__'] = lambda func,*args,**kwds:
self.__rl_apply__(func,args,kwds)
File "C:\Python38\lib\site-packages\reportlab\lib\rl_safe_eval.py",
line 1266, in __rl_apply__
return func(*[a for a in self.__rl_getiter__(args)], **{k:v for
k,v in kwds.items()})
File "C:\Python38\lib\site-packages\reportlab\lib\rl_safe_eval.py",
line 996, in __call__
raise BadCode('missing global %s' % self.__name__)
reportlab.lib.rl_safe_eval.BadCode: missing global open
----
But I cannot find any code use this Macro class in the reportlab package,
maybe it's the caller's responsibility to ensure that the parameter
send to Macro
is sanitized.
Do you think this is a security bug?
regards,
zjuchenyuan
--- End Message ---
--- Begin Message ---
Source: python-reportlab
Source-Version: 4.0.4-11
Done: Georges Khaznadar <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-reportlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Georges Khaznadar <[email protected]> (supplier of updated python-reportlab
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 24 Aug 2023 10:19:11 +0200
Source: python-reportlab
Architecture: source
Version: 4.0.4-11
Distribution: unstable
Urgency: medium
Maintainer: Georges Khaznadar <[email protected]>
Changed-By: Georges Khaznadar <[email protected]>
Closes: 961524 1050218
Changes:
python-reportlab (4.0.4-11) unstable; urgency=medium
.
* removed the dependency on ttf-bitstream-vera, replaced by dependencies on
fonts-dejavu-core and fonts-dejavu-extra. Adapted
debian/python3-reportlab.links accordingly. Hopefully, this definitely
Closes: #1050218
* installed also Vera fonts which are included in the source package, as
their license is documented in debian/copyright
* checked that upstream sources are using rl_safe_exec instead of exec in
file src/reportlab/platypus/flowables.py. Closes: #961524
Checksums-Sha1:
598433d9b3b7faa705897ed77a8c4d692241ec3e 2265 python-reportlab_4.0.4-11.dsc
1e4a6337454f176d59878249a22ed20be0b90c7a 13828
python-reportlab_4.0.4-11.debian.tar.xz
4565e5dcd42a9ce28f8e60bda05431312f82edbf 9412
python-reportlab_4.0.4-11_amd64.buildinfo
Checksums-Sha256:
0dda53ef4b3e76bfb5792606055051f6974d41053502bfb8a64a564b018e8074 2265
python-reportlab_4.0.4-11.dsc
2d3fc93135ec97e4233c2d17c3c208ad72aba5a4bb863f966d62fce580bd9a71 13828
python-reportlab_4.0.4-11.debian.tar.xz
20b4ae5cfd35a2ce720ed9261df03fca5926bfb3f8bc7997d40f90f626b5301a 9412
python-reportlab_4.0.4-11_amd64.buildinfo
Files:
7d5aed6c6aa9fda49b92a5049a48b9a1 2265 python optional
python-reportlab_4.0.4-11.dsc
5bd1c52049b01b1c3c742d1eb6d2988b 13828 python optional
python-reportlab_4.0.4-11.debian.tar.xz
1395b2ad442b7d8f2785a3a1ab9abf28 9412 python optional
python-reportlab_4.0.4-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEM0CzZP9nFT+3zK6FHCgWkHE2rjkFAmTnFzsACgkQHCgWkHE2
rjlfNhAAiS57xlRNeiiHHr+bnknQuQo2DwRcgmDfO8+i2y8dMH4iNNPiko8GV+zA
JZFTlexWcEHA5cAxl3QYAyNydmkBN121qQtf69BxuR30idCiJJN59vrXBIlrOihe
qyFSeZ9cCenjPWhvqFEVRrbOMXudcnCT9+oldI2/28yItSLV8to1/Na+hQ3ZzNRi
+SOQ79utVP7c2YHNPe8LMAsEFPFJFpODR4SrToQ/FJ0QAa6LHdR6t/+1fV4IM5q8
jWr/m/qCqv+5/9xaTZnSqkTvih0+01RtjOva0WyscsZQgsgfodTBjrSSXwVRiP0R
qExtjGoOb1fDpndQfWRzTIRAUsReYSFLnl4ATsVrXeoz0wl7IqiuarijxpAKfypy
XHRYEf80FUHrTtv8P0mKDPBrs+NG3pttuiGFSV4KCMfYNHbu9Xl2/AWJbIDI6vH6
vA1q/unTZvW/BOBgHGouRl6ckUo+sfqmsWtnNBL69738XRcIXgrowvALEt4PuZ2T
by51yKC7kuH4TJdMTu7asoYQtoR5ZlYeuGYD56gVDvmFsSeGOeymNdLv0c5fp47p
+hjj33a43uFiVXv5ZFKGRzRw6cJ63Zz7HA7ooIeTncMxMWmTFeIWSfYZUfQ8tiOn
8aVF28llKXxcfMPS1OyR4Gh16ptZ8iGyAVJrFZnHHAumiCXs/GY=
=mesO
-----END PGP SIGNATURE-----
--- End Message ---
