[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-reportlab: CVE-2019-17626: remote code execution in colors.py


a fix was recently published for this issue. I am concerned that it might
no be fit for a DSA/DLA:

(1) upstream imported a number of snippets from ZPL licensed projects. I
    don't think it respected the ZPL terms.

(2) the changes are large and hard to review. Pretending that these changes
    address the vulnerability completely would be a little bit presumptuous.

    Furthermore, the code imported from Zope provides "safe" evaluation of
    Python code. This kind of code is complex, and prone to security
    vulnerabilities and bugs. There are definitely regressions in there.

I have asked upstream regarding the licensing issue. For the rest, I think
we should wait for followups, or possibly a better patch.

Any comments/advice?


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: