--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-report...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:python-reportlab
User: release.debian....@packages.debian.org
Usertags: pu
Control: tags -1 + security
[ Reason ]
CVE-2023-33733
[ Impact ]
RCE
[ Tests ]
Yes package test run at build time
[ Risks ]
Low
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- CVE-2023-33733 fix
- salsa CI
[ Other info ]
Did you prefer a DSA upload or a PU
diff -Nru python-reportlab-3.6.12/debian/changelog python-reportlab-3.6.12/debian/changelog
--- python-reportlab-3.6.12/debian/changelog 2022-12-31 10:05:33.000000000 +0000
+++ python-reportlab-3.6.12/debian/changelog 2024-10-12 17:14:35.000000000 +0000
@@ -1,3 +1,13 @@
+python-reportlab (3.6.12-1+deb12u1) bookworm-security; urgency=high
+
+ * Team upload
+ * Fix CVE-2023-33733
+ Reportlab was vulnerable to Remote Code Execution (RCE)
+ via crafted PDF file.
+ * Add SalsaCI
+
+ -- Bastien Roucari??s <ro...@debian.org> Sat, 12 Oct 2024 17:14:35 +0000
+
python-reportlab (3.6.12-1) unstable; urgency=medium
* New upstream version.
diff -Nru python-reportlab-3.6.12/debian/patches/0005-CVE-2023-33733-RCE-via-crafted-PDF-file.patch python-reportlab-3.6.12/debian/patches/0005-CVE-2023-33733-RCE-via-crafted-PDF-file.patch
--- python-reportlab-3.6.12/debian/patches/0005-CVE-2023-33733-RCE-via-crafted-PDF-file.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-reportlab-3.6.12/debian/patches/0005-CVE-2023-33733-RCE-via-crafted-PDF-file.patch 2024-10-12 17:14:35.000000000 +0000
@@ -0,0 +1,344 @@
+From: Robin Becker <reportlab-us...@lists2.reportlab.com>
+Date: Mon, 24 Apr 2023 13:52:40 +0100
+Subject: CVE-2023-33733 RCE via crafted PDF file
+
+origin: https://hg.reportlab.com/hg-public/reportlab/rev/1c39d2db15bb
+bug: https://github.com/c53elyas/CVE-2023-33733
+---
+ src/reportlab/lib/colors.py | 79 +++++++++++++++++++++++++++++++--------
+ src/reportlab/lib/rl_safe_eval.py | 71 ++++++++++++++++++++++++++++++++++-
+ src/reportlab/lib/utils.py | 2 +-
+ src/reportlab/rl_settings.py | 4 +-
+ tests/test_lib_rl_safe_eval.py | 49 ++++++++++++++++++++++--
+ 5 files changed, 181 insertions(+), 24 deletions(-)
+
+diff --git a/src/reportlab/lib/colors.py b/src/reportlab/lib/colors.py
+index b7487db..839a674 100644
+--- a/src/reportlab/lib/colors.py
++++ b/src/reportlab/lib/colors.py
+@@ -41,7 +41,8 @@ ValueError: css color 'pcmyka(100,0,0,0)' has wrong number of components
+ '''
+ import math, re, functools
+ from reportlab.lib.rl_accel import fp_str
+-from reportlab.lib.utils import asNative, isStr, rl_safe_eval
++from reportlab.lib.utils import asNative, isStr, rl_safe_eval, rl_extended_literal_eval
++from reportlab import rl_config
+ from ast import literal_eval
+
+ class Color:
+@@ -882,6 +883,17 @@ def parseColorClassFromString(arg):
+ return None
+
+ class toColor:
++ """Accepot an expression returnng a Color subclass.
++
++ This used to accept arbitrary Python expressions, which resulted in increasngly devilish CVEs and
++ security holes from tie to time. In April 2023 we are creating explicit, "dumb" parsing code to
++ replace this. Acceptable patterns are
++
++ a Color instance passed in by the Python programmer
++ a named list of colours ('pink' etc')
++ list of 3 or 4 numbers
++ all CSS colour expression
++ """
+ _G = {} #globals we like (eventually)
+
+ def __init__(self):
+@@ -907,22 +919,57 @@ class toColor:
+ C = getAllNamedColors()
+ s = arg.lower()
+ if s in C: return C[s]
+- G = C.copy()
+- G.update(self.extraColorsNS)
+- if not self._G:
++
++
++ # allow expressions like 'Blacker(red, 0.5)'
++ # >>> re.compile(r"(Blacker|Whiter)\((\w+)\,\s?([0-9.]+)\)").match(msg).groups()
++ # ('Blacker', 'red', '0.5')
++ # >>>
++ pat = re.compile(r"(Blacker|Whiter)\((\w+)\,\s?([0-9.]+)\)")
++ m = pat.match(arg)
++ if m:
++ funcname, rootcolor, num = m.groups()
++ if funcname == 'Blacker':
++ return Blacker(rootcolor, float(num))
++ else:
++ return Whiter(rootcolor, float(num))
++
++ try:
++ import ast
++ expr = ast.literal_eval(arg) #safe probably only a tuple or list of values
++ return toColor(expr)
++ except (SyntaxError, ValueError):
++ pass
++
++ if rl_config.toColorCanUse=='rl_safe_eval':
++ #the most dangerous option
++ G = C.copy()
++ G.update(self.extraColorsNS)
++ if not self._G:
++ C = globals()
++ self._G = {s:C[s] for s in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter
++ _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK
++ _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance
++ cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb isStr linearlyInterpolatedColor
++ literal_eval obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()}
++ G.update(self._G)
++ try:
++ return toColor(rl_safe_eval(arg,g=G,l={}))
++ except:
++ pass
++ elif rl_config.toColorCanUse=='rl_extended_literal_eval':
+ C = globals()
+- self._G = {s:C[s] for s in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter
+- _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK
+- _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance
+- cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb isStr linearlyInterpolatedColor
+- literal_eval obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()}
+- G.update(self._G)
+- #try:
+- # return toColor(rl_safe_eval(arg,g=G,l={}))
+- #except:
+- # pass
+- parsedColor = parseColorClassFromString(arg)
+- if (parsedColor): return parsedColor
++ S = getAllNamedColors().copy()
++ C = {k:C[k] for k in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter
++ _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK
++ _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance
++ cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb linearlyInterpolatedColor
++ obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()
++ if callable(C.get(k,None))}
++ try:
++ return rl_extended_literal_eval(arg,C,S)
++ except (ValueError, SyntaxError):
++ pass
+
+ try:
+ return HexColor(arg)
+diff --git a/src/reportlab/lib/rl_safe_eval.py b/src/reportlab/lib/rl_safe_eval.py
+index 49828c9..50834f6 100644
+--- a/src/reportlab/lib/rl_safe_eval.py
++++ b/src/reportlab/lib/rl_safe_eval.py
+@@ -3,7 +3,7 @@
+ #https://github.com/zopefoundation/RestrictedPython
+ #https://github.com/danthedeckie/simpleeval
+ #hopefully we are standing on giants' shoulders
+-import sys, os, ast, re, weakref, time, copy, math
++import sys, os, ast, re, weakref, time, copy, math, types
+ eval_debug = int(os.environ.get('EVAL_DEBUG','0'))
+ strTypes = (bytes,str)
+ isPy39 = sys.version_info[:2]>=(3,9)
+@@ -53,7 +53,9 @@ __rl_unsafe__ = frozenset('''builtins breakpoint __annotations__ co_argcount co_
+ func_doc func_globals func_name gi_code gi_frame gi_running gi_yieldfrom
+ __globals__ im_class im_func im_self __iter__ __kwdefaults__ __module__
+ __name__ next __qualname__ __self__ tb_frame tb_lasti tb_lineno tb_next
+- globals vars locals'''.split()
++ globals vars locals
++ type eval exec aiter anext compile open
++ dir print classmethod staticmethod __import__ super property'''.split()
+ )
+ __rl_unsafe_re__ = re.compile(r'\b(?:%s)' % '|'.join(__rl_unsafe__),re.M)
+
+@@ -1204,5 +1206,70 @@ class __rl_safe_eval__:
+ class __rl_safe_exec__(__rl_safe_eval__):
+ mode = 'exec'
+
++def rl_extended_literal_eval(expr, safe_callables=None, safe_names=None):
++ if safe_callables is None:
++ safe_callables = {}
++ if safe_names is None:
++ safe_names = {}
++ safe_names = safe_names.copy()
++ safe_names.update({'None': None, 'True': True, 'False': False})
++ #make these readonly with MappingProxyType
++ safe_names = types.MappingProxyType(safe_names)
++ safe_callables = types.MappingProxyType(safe_callables)
++ if isinstance(expr, str):
++ expr = ast.parse(expr, mode='eval')
++ if isinstance(expr, ast.Expression):
++ expr = expr.body
++ try:
++ # Python 3.4 and up
++ ast.NameConstant
++ safe_test = lambda n: isinstance(n, ast.NameConstant) or isinstance(n,ast.Name) and n.id in safe_names
++ safe_extract = lambda n: n.value if isinstance(n,ast.NameConstant) else safe_names[n.id]
++ except AttributeError:
++ # Everything before
++ safe_test = lambda n: isinstance(n, ast.Name) and n.id in safe_names
++ safe_extract = lambda n: safe_names[n.id]
++ def _convert(node):
++ if isinstance(node, (ast.Str, ast.Bytes)):
++ return node.s
++ elif isinstance(node, ast.Num):
++ return node.n
++ elif isinstance(node, ast.Tuple):
++ return tuple(map(_convert, node.elts))
++ elif isinstance(node, ast.List):
++ return list(map(_convert, node.elts))
++ elif isinstance(node, ast.Dict):
++ return dict((_convert(k), _convert(v)) for k, v
++ in zip(node.keys, node.values))
++ elif safe_test(node):
++ return safe_extract(node)
++ elif isinstance(node, ast.UnaryOp) and \
++ isinstance(node.op, (ast.UAdd, ast.USub)) and \
++ isinstance(node.operand, (ast.Num, ast.UnaryOp, ast.BinOp)):
++ operand = _convert(node.operand)
++ if isinstance(node.op, ast.UAdd):
++ return + operand
++ else:
++ return - operand
++ elif isinstance(node, ast.BinOp) and \
++ isinstance(node.op, (ast.Add, ast.Sub)) and \
++ isinstance(node.right, (ast.Num, ast.UnaryOp, ast.BinOp)) and \
++ isinstance(node.right.n, complex) and \
++ isinstance(node.left, (ast.Num, ast.UnaryOp, astBinOp)):
++ left = _convert(node.left)
++ right = _convert(node.right)
++ if isinstance(node.op, ast.Add):
++ return left + right
++ else:
++ return left - right
++ elif isinstance(node, ast.Call) and \
++ isinstance(node.func, ast.Name) and \
++ node.func.id in safe_callables:
++ return safe_callables[node.func.id](
++ *[_convert(n) for n in node.args],
++ **{kw.arg: _convert(kw.value) for kw in node.keywords})
++ raise ValueError('Bad expression')
++ return _convert(expr)
++
+ rl_safe_exec = __rl_safe_exec__()
+ rl_safe_eval = __rl_safe_eval__()
+diff --git a/src/reportlab/lib/utils.py b/src/reportlab/lib/utils.py
+index 5a6b5d7..a53a05c 100644
+--- a/src/reportlab/lib/utils.py
++++ b/src/reportlab/lib/utils.py
+@@ -11,7 +11,7 @@ from io import BytesIO
+ from hashlib import md5
+
+ from reportlab.lib.rltempfile import get_rl_tempfile, get_rl_tempdir
+-from . rl_safe_eval import rl_safe_exec, rl_safe_eval, safer_globals
++from . rl_safe_eval import rl_safe_exec, rl_safe_eval, safer_globals, rl_extended_literal_eval
+ from PIL import Image
+
+ class __UNSET__:
+diff --git a/src/reportlab/rl_settings.py b/src/reportlab/rl_settings.py
+index 0cf5150..a11289f 100644
+--- a/src/reportlab/rl_settings.py
++++ b/src/reportlab/rl_settings.py
+@@ -69,7 +69,8 @@ trustedHosts
+ trustedSchemes
+ renderPMBackend
+ xmlParser
+-textPaths'''.split())
++textPaths
++toColorCanUse'''.split())
+
+ allowTableBoundsErrors = 1 # set to 0 to die on too large elements in tables in debug (recommend 1 for production use)
+ shapeChecking = 1
+@@ -163,6 +164,7 @@ xmlParser='lxml' #or 'pyrxp' for preferred xm
+ textPaths='backend' #freetype or _renderPM or backend
+ #determines what code is used to create Paths from str
+ #see reportlab/graphics/utils.py for full horror
++toColorCanUse='rl_extended_literal_eval' #change to None or 'rl_safe_eval' depending on trust
+
+ # places to look for T1Font information
+ T1SearchPath = (
+diff --git a/tests/test_lib_rl_safe_eval.py b/tests/test_lib_rl_safe_eval.py
+index 84bd86f..fd556eb 100644
+--- a/tests/test_lib_rl_safe_eval.py
++++ b/tests/test_lib_rl_safe_eval.py
+@@ -1,6 +1,6 @@
+ #Copyright ReportLab Europe Ltd. 2000-2017
+ #see license.txt for license details
+-"""Tests for reportlab.lib.rl_eval
++"""Tests for reportlab.lib.rl_safe_eval
+ """
+ __version__='3.5.33'
+ from reportlab.lib.testutils import setOutDir,makeSuiteForClasses, printLocation
+@@ -10,7 +10,7 @@ import reportlab
+ from reportlab import rl_config
+ import unittest
+ from reportlab.lib import colors
+-from reportlab.lib.utils import rl_safe_eval, rl_safe_exec, annotateException
++from reportlab.lib.utils import rl_safe_eval, rl_safe_exec, annotateException, rl_extended_literal_eval
+ from reportlab.lib.rl_safe_eval import BadCode
+
+ testObj = [1,('a','b',2),{'A':1,'B':2.0},"32"]
+@@ -52,7 +52,6 @@ class SafeEvalTestSequenceMeta(type):
+ 'dict(a=1).get("a",2)',
+ 'dict(a=1).pop("a",2)',
+ '{"_":1+_ for _ in (1,2)}.pop(1,None)',
+- '(type(1),type(str),type(testObj),type(TestClass))',
+ '1 if True else "a"',
+ '1 if False else "a"',
+ 'testFunc(bad=False)',
+@@ -74,6 +73,8 @@ class SafeEvalTestSequenceMeta(type):
+ (
+ 'fail',
+ (
++ 'vars()',
++ '(type(1),type(str),type(testObj),type(TestClass))',
+ 'open("/tmp/myfile")',
+ 'SafeEvalTestCase.__module__',
+ ("testInst.__class__.__bases__[0].__subclasses__()",dict(g=dict(testInst=testInst))),
+@@ -97,6 +98,8 @@ class SafeEvalTestSequenceMeta(type):
+ 'testFunc(bad=True)',
+ 'getattr(testInst,"__class__",14)',
+ '"{1}{2}".format(1,2)',
++ 'builtins',
++ '[ [ [ [ ftype(ctype(0, 0, 0, 0, 3, 67, b"t\\x00d\\x01\\x83\\x01\\xa0\\x01d\\x02\\xa1\\x01\\x01\\x00d\\x00S\\x00", (None, "os", "touch /tmp/exploited"), ("__import__", "system"), (), "<stdin>", "", 1, b"\\x12\\x01"), {})() for ftype in [type(lambda: None)] ] for ctype in [type(getattr(lambda: {None}, Word("__code__")))] ] for Word in [orgTypeFun("Word", (str,), { "mutated": 1, "startswith": lambda self, x: False, "__eq__": lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, "mutate": lambda self: {setattr(self, "mutated", self.mutated - 1)}, "__hash__": lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))]] and "red"',
+ )
+ ),
+ ):
+@@ -155,8 +158,46 @@ class SafeEvalTestBasics(unittest.TestCase):
+ def test_002(self):
+ self.assertTrue(rl_safe_eval("GA=='ga'"))
+
++class ExtendedLiteralEval(unittest.TestCase):
++ def test_001(self):
++ S = colors.getAllNamedColors().copy()
++ C = {s:getattr(colors,s) for s in '''Blacker CMYKColor CMYKColorSep Color ColorType HexColor PCMYKColor PCMYKColorSep Whiter
++ _chooseEnforceColorSpace _enforceCMYK _enforceError _enforceRGB _enforceSEP _enforceSEP_BLACK
++ _enforceSEP_CMYK _namedColors _re_css asNative cmyk2rgb cmykDistance color2bw colorDistance
++ cssParse describe fade fp_str getAllNamedColors hsl2rgb hue2rgb linearlyInterpolatedColor
++ obj_R_G_B opaqueColor rgb2cmyk setColors toColor toColorOrNone'''.split()
++ if callable(getattr(colors,s,None))}
++ def showVal(s):
++ try:
++ r = rl_extended_literal_eval(s,C,S)
++ except:
++ r = str(sys.exc_info()[1])
++ return r
++
++ for expr, expected in (
++ ('1.0', 1.0),
++ ('1', 1),
++ ('red', colors.red),
++ ('True', True),
++ ('False', False),
++ ('None', None),
++ ('Blacker(red,0.5)', colors.Color(.5,0,0,1)),
++ ('PCMYKColor(21,10,30,5,spotName="ABCD")', colors.PCMYKColor(21,10,30,5,spotName='ABCD',alpha=100)),
++ ('HexColor("#ffffff")', colors.Color(1,1,1,1)),
++ ('linearlyInterpolatedColor(red, blue, 0, 1, 0.5)', colors.Color(.5,0,.5,1)),
++ ('red.rgb()', 'Bad expression'),
++ ('__import__("sys")', 'Bad expression'),
++ ('globals()', 'Bad expression'),
++ ('locals()', 'Bad expression'),
++ ('vars()', 'Bad expression'),
++ ('builtins', 'Bad expression'),
++ ('__file__', 'Bad expression'),
++ ('__name__', 'Bad expression'),
++ ):
++ self.assertEqual(showVal(expr),expected,f"rl_extended_literal_eval({expr!r}) is not equal to expected {expected}")
++
+ def makeSuite():
+- return makeSuiteForClasses(SafeEvalTestCase,SafeEvalTestBasics)
++ return makeSuiteForClasses(SafeEvalTestCase,SafeEvalTestBasics,ExtendedLiteralEval)
+
+ if __name__ == "__main__": #noruntests
+ unittest.TextTestRunner().run(makeSuite())
diff -Nru python-reportlab-3.6.12/debian/patches/series python-reportlab-3.6.12/debian/patches/series
--- python-reportlab-3.6.12/debian/patches/series 2021-03-13 12:29:10.000000000 +0000
+++ python-reportlab-3.6.12/debian/patches/series 2024-10-12 17:14:35.000000000 +0000
@@ -2,3 +2,4 @@
reproducible-build.patch
toColor.patch
reportlab-version.diff
+0005-CVE-2023-33733-RCE-via-crafted-PDF-file.patch
diff -Nru python-reportlab-3.6.12/debian/salsa-ci.yml python-reportlab-3.6.12/debian/salsa-ci.yml
--- python-reportlab-3.6.12/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000
+++ python-reportlab-3.6.12/debian/salsa-ci.yml 2024-10-12 17:14:35.000000000 +0000
@@ -0,0 +1,12 @@
+# For more information on what jobs are run see:
+# https://salsa.debian.org/salsa-ci-team/pipeline
+#
+# To enable the jobs, go to your repository (at salsa.debian.org)
+# and click over Settings > CI/CD > Expand (in General pipelines).
+# In "CI/CD configuration file" write debian/salsa-ci.yml and click
+# in "Save Changes". The CI tests will run after the next commit.
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+variables:
+ RELEASE: 'bookworm'
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
