Version in base suite: 3.5.13-1

Base version: python-reportlab_3.5.13-1
Target version: python-reportlab_3.5.13-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-reportlab/python-reportlab_3.5.13-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-reportlab/python-reportlab_3.5.13-1+deb10u1.dsc

 changelog                    |    8 ++++
 patches/CVE-2019-17626.patch |   84 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 93 insertions(+)

diff -Nru python-reportlab-3.5.13/debian/changelog python-reportlab-3.5.13/debian/changelog
--- python-reportlab-3.5.13/debian/changelog	2019-01-18 10:03:19.000000000 +0000
+++ python-reportlab-3.5.13/debian/changelog	2020-04-24 20:29:45.000000000 +0000
@@ -1,3 +1,11 @@
+python-reportlab (3.5.13-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Address remote code execution in colors.py (CVE-2019-17626)
+    (Closes: #942763)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 24 Apr 2020 22:29:45 +0200
+
 python-reportlab (3.5.13-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru python-reportlab-3.5.13/debian/patches/CVE-2019-17626.patch python-reportlab-3.5.13/debian/patches/CVE-2019-17626.patch
--- python-reportlab-3.5.13/debian/patches/CVE-2019-17626.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-reportlab-3.5.13/debian/patches/CVE-2019-17626.patch	2020-04-24 20:29:45.000000000 +0000
@@ -0,0 +1,84 @@
+Description: Fix CVE-2019-17626: remote code execution in colors.py
+ Parse input string of toColor.__call__ for color classes
+ .
+ It constructs respective object from the string then.
+ This currently supports CMYKColor, PCMYKColor, CMYKColorSep
+ and PCMYKColorSep.
+Origin: vendor, https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code#comment-55887892
+Bug: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
+Bug-Debian: https://bugs.debian.org/942763
+Forwarded: no
+Author: Marek Kasik <mkasik@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2020-04-24
+
+diff -r 9bb6ebf1b847 -r b47055e78d8b src/reportlab/lib/colors.py
+--- a/src/reportlab/lib/colors.py	Fri Sep 20 14:12:39 2019 +0100
++++ b/src/reportlab/lib/colors.py	Mon Jan 27 14:46:08 2020 +0100
+@@ -838,6 +838,53 @@
+ 
+ cssParse=cssParse()
+ 
++def parseColorClassFromString(arg):
++    '''Parses known classes which holds color information from string
++    and constructs respective object.
++    It constructs CMYKColor, PCMYKColor, CMYKColorSep and PCMYKColorSep now.
++    '''
++
++    # Strips input string and splits it with {'(', ')', ','} delimiters
++    splitted = "".join(arg.split()).replace('(', ',').replace(')','').split(',')
++
++    # Creates a "fingerprint" of given string made of {'(', ')', ','} characters only.
++    fingerprint = ''.join(c for c in arg if c in set('(,)'))
++
++    if (len(splitted) > 0):
++        if (splitted[0] == 'Color'):
++            if (fingerprint == '(,,,)'):
++                try:
++                    return Color(*list(map(float, splitted[1:5])))
++                except:
++                    return None
++            elif (fingerprint == '(,,)'):
++                try:
++                    return Color(*list(map(float, splitted[1:4])))
++                except:
++                    return None
++        elif (splitted[0] == 'CMYKColor' and fingerprint == '(,,,)'):
++            try:
++                return CMYKColor(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'PCMYKColor' and fingerprint == '(,,,)'):
++            try:
++                return PCMYKColor(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'CMYKColorSep' and fingerprint == '(,,,)'):
++            try:
++                return CMYKColorSep(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'PCMYKColorSep' and fingerprint == '(,,,)'):
++            try:
++                return PCMYKColorSep(*list(map(float, splitted[1:5])))
++            except:
++                return None
++    else:
++                return None
++
+ class toColor:
+ 
+     def __init__(self):
+@@ -863,10 +910,8 @@
+             C = getAllNamedColors()
+             s = arg.lower()
+             if s in C: return C[s]
+-            try:
+-                return toColor(eval(arg))
+-            except:
+-                pass
++            parsedColor = parseColorClassFromString(arg)
++            if (parsedColor): return parsedColor
+ 
+         try:
+             return HexColor(arg)
diff -Nru python-reportlab-3.5.13/debian/patches/series python-reportlab-3.5.13/debian/patches/series
--- python-reportlab-3.5.13/debian/patches/series	2018-07-21 14:28:50.000000000 +0000
+++ python-reportlab-3.5.13/debian/patches/series	2020-04-24 20:29:45.000000000 +0000
@@ -1,2 +1,3 @@
 gsfonts.diff
 reproducible-build.patch
+CVE-2019-17626.patch