paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with ‘<unichar code="’ followed by arbitrary Python code, a similar issue to CVE-2019-17626.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | python-reportlab | < 3.5.31-1 | python-reportlab_3.5.31-1_all.deb |
Debian | 11 | all | python-reportlab | < 3.5.31-1 | python-reportlab_3.5.31-1_all.deb |
Debian | 10 | all | python-reportlab | < 3.5.13-1+deb10u2 | python-reportlab_3.5.13-1+deb10u2_all.deb |
Debian | 999 | all | python-reportlab | < 3.5.31-1 | python-reportlab_3.5.31-1_all.deb |
Debian | 13 | all | python-reportlab | < 3.5.31-1 | python-reportlab_3.5.31-1_all.deb |