Debian DLA-3590-1 : python-reportlab - LTS security update

critical Nessus Plugin ID 182381

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3590 advisory.

- ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color=' followed by arbitrary Python code.
(CVE-2019-17626)

- paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code=' followed by arbitrary Python code, a similar issue to CVE-2019-17626. (CVE-2019-19450)

- All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src=http://127.0.0.1:5000 valign=top/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7.
dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF (CVE-2020-28463)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the python-reportlab packages.

For Debian 10 buster, these problems have been fixed in version 3.5.13-1+deb10u2.

See Also

http://www.nessus.org/u?cca36a40

https://www.debian.org/lts/security/2023/dla-3590

https://security-tracker.debian.org/tracker/CVE-2019-17626

https://security-tracker.debian.org/tracker/CVE-2019-19450

https://security-tracker.debian.org/tracker/CVE-2020-28463

https://packages.debian.org/source/buster/python-reportlab

Plugin Details

Severity: Critical

ID: 182381

File Name: debian_DLA-3590.nasl

Version: 1.0

Type: local

Agent: unix

Published: 9/30/2023

Updated: 9/30/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-17626

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-19450

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python-reportlab-accel, p-cpe:/a:debian:debian_linux:python-reportlab, p-cpe:/a:debian:debian_linux:python-reportlab-accel-dbg, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:python-renderpm, p-cpe:/a:debian:debian_linux:python3-renderpm, p-cpe:/a:debian:debian_linux:python3-reportlab-accel-dbg, p-cpe:/a:debian:debian_linux:python-reportlab-doc, p-cpe:/a:debian:debian_linux:python3-renderpm-dbg, p-cpe:/a:debian:debian_linux:python3-reportlab-accel, p-cpe:/a:debian:debian_linux:python-renderpm-dbg, p-cpe:/a:debian:debian_linux:python3-reportlab

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/29/2023

Vulnerability Publication Date: 10/16/2019

Reference Information

CVE: CVE-2019-17626, CVE-2019-19450, CVE-2020-28463