fix CVE-2019-17626

CVE-2019-17626.patch

@@ -0,0 +1,81 @@
+# HG changeset patch
+# User mkasik@redhat.com
+# Date 1580132768 -3600
+#      Mon Jan 27 14:46:08 2020 +0100
+# Node ID b47055e78d8b3e49e7bb5b9cdaa55d449b996764
+# Parent  9bb6ebf1b8473e3dc11740cbdce0d5dc1a1afae2
+Parse input string of toColor.__call__ for color classes
+
+It constructs respective object from the string then.
+This currently supports CMYKColor, PCMYKColor, CMYKColorSep
+and PCMYKColorSep.
+
+--- a/src/reportlab/lib/colors.py
++++ b/src/reportlab/lib/colors.py
+@@ -833,6 +833,53 @@ class cssParse:
+ 
+ cssParse=cssParse()
+ 
++def parseColorClassFromString(arg):
++    '''Parses known classes which holds color information from string
++    and constructs respective object.
++    It constructs CMYKColor, PCMYKColor, CMYKColorSep and PCMYKColorSep now.
++    '''
++
++    # Strips input string and splits it with {'(', ')', ','} delimiters
++    splitted = "".join(arg.split()).replace('(', ',').replace(')','').split(',')
++
++    # Creates a "fingerprint" of given string made of {'(', ')', ','} characters only.
++    fingerprint = ''.join(c for c in arg if c in set('(,)'))
++
++    if (len(splitted) > 0):
++        if (splitted[0] == 'Color'):
++            if (fingerprint == '(,,,)'):
++                try:
++                    return Color(*list(map(float, splitted[1:5])))
++                except:
++                    return None
++            elif (fingerprint == '(,,)'):
++                try:
++                    return Color(*list(map(float, splitted[1:4])))
++                except:
++                    return None
++        elif (splitted[0] == 'CMYKColor' and fingerprint == '(,,,)'):
++            try:
++                return CMYKColor(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'PCMYKColor' and fingerprint == '(,,,)'):
++            try:
++                return PCMYKColor(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'CMYKColorSep' and fingerprint == '(,,,)'):
++            try:
++                return CMYKColorSep(*list(map(float, splitted[1:5])))
++            except:
++                return None
++        elif (splitted[0] == 'PCMYKColorSep' and fingerprint == '(,,,)'):
++            try:
++                return PCMYKColorSep(*list(map(float, splitted[1:5])))
++            except:
++                return None
++    else:
++                return None
++
+ class toColor:
+ 
+     def __init__(self):
+@@ -858,10 +905,8 @@ class toColor:
+             C = getAllNamedColors()
+             s = arg.lower()
+             if s in C: return C[s]
+-            try:
+-                return toColor(eval(arg))
+-            except:
+-                pass
++            parsedColor = parseColorClassFromString(arg)
++            if (parsedColor): return parsedColor
+ 
+         try:
+             return HexColor(arg)

python-reportlab.spec

@@ -2,12 +2,13 @@
 
 Name:             python-reportlab
 Version:          3.4.0
-Release:          12
+Release:          13
 Summary:          ReportLab library to create PDF documents and graphic
 License:          BSD
 URL:              https://www.reportlab.com/
 Source0:          https://pypi.python.org/packages/source/r/reportlab/reportlab-%{version}.tar.gz
 Patch0001:        0fbf25e4857423f6a38ca7f5aeee1c84acaa3fc1.patch
+Patch0002:        CVE-2019-17626.patch
 
 %description
 The ReportLab Toolkit. An Open Source Python library for generating PDFs and graphics.
@@ -59,6 +60,9 @@ PYTHONPATH="`pwd`/`ls -d build/lib*`" %{__python3} docs/genAll.py
 %doc demos/ tools/
 
 %changelog
+* Wed Jul 21 2021 yaoxin <yaoxin30@huawei.com> - 3.4.0-13
+- Fix CVE-2019-17626
+
 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 3.4.0-12
 - Completing build dependencies