Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Aug 2016 09:08:05 -0400
From: Sylvain Corlay <sylvain.corlay@...il.com>
To: oss-security@...ts.openwall.com, Fernando Perez <fperez@....gov>, 
	Matthias Bussonnier <mbussonnier@...keley.edu>, Jamie Whitacre <whitacre@...keley.edu>
Subject: Re: CVE Request: ipywidgets executes untrusted JavaScript

Hello everyone,

I am following up on this CVE request. Did we miss something in how the
request is formulated?

Thanks,

Sylvain

On Fri, Jul 1, 2016 at 6:12 PM, Sylvain Corlay <sylvain.corlay@...il.com>
wrote:

> *Description*
>
> ipywidgets version 5.1.5 (and the companion package widgetsnbextension
> 1.2.3) fixes a security vulnerability which affects the usage of ipywidgets
> in conjunction with the Jupyter Notebook. (The GitHub repository for the
> project is https://github.com/ipython/ipywidgets)
>
> *Affected versions*
>
> The affected versions of ipywidgets are:
>
> ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (and widgetsnbextension < 1.2.3), …
>
> Only users who installed ipywidgets using pip or from source on the GitHub
> repository are affected.
>
> Anaconda users are unaffected because the vulnerable version of ipywidget
> has never been released to the default conda channel.
>
> *Resolution*
>
> We recently released ipywidgets version 5.1.5 (widgetsnbextension version
> 1.2.3). You can check whether your system is affected by running the
> following command:
>
>    >>> from distutils.version import LooseVersion as V
>    >>> import ipywidgets
>    >>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'):
>    >>>     print("Upgrade ipywidgets to 5.1.5")
>
> If your system is vulnerable, you will see the following output:
>
>     Upgrade ipywidgets to 5.1.5
>
> If your system is vulnerable please upgrade to ipywidgets version 5.1.5.
> Use the following command to install:
>
>    $ pip install "ipywidgets>=5.1.5"
>
> or
>
>    $ conda install "ipywidgets>=5.1.5"
>
> *Technical details*
>
> The vulnerability was discovered following an investigation of a potential
> vulnerability reported by Brian Granger to the ipython-security mailing
> list (security@...thon.org) on May 5.
>
> The reason for such behavior was determined on May 5 by Matthias
> Bussonnier.
>
> A fix was proposed written and reviewed, then [merged](https://github.com/
> ipython/ipywidgets/pull/591) into the development branch on May 20, and a
> non vulnerable version released on May 25.
>
> A widget snapshotting feature introduced in ipywidgets 5.0.0 (
> https://github.com/ipython/ipywidgets/pull/314/) allowed untrusted
> javascript code to execute in an untrusted notebook on loading and saving
> of a notebook.  A well crafted notebook could execute arbitrary code with
> the rights of the current user in the context of the page, the notebook
> server, and available kernels.
>
> We recommend immediate upgrade of the ipywidgets package.
>
> There is no simple configuration option that could mitigate the system for
> vulnerability. The user must upgrade to ipywidget version 5.1.5 or
> downgrade to 4.x.
>
> *Future Plan*
>
> The security issue resulted from the seemingly harmless combination of
> calls:
>
>     json = cell.get_json()
>     json = update_json(json)
>     cell.clear_output()
>     cell.from_json()
>
> The clear_output()  method has as a consequence to mark the cell as
> trusted (as it has no output that can potentially execute javascript). This
> is followed by the next call which can trigger JavaScript execution in the
> page context.
>
> We plan on improving the notebook API so that clear_output() does not
> change the trusted status of a cell (or a notebook), to prevent mistakes
> like this from having security consequences. This will lead to the slight
> behavior change that an empty cell with no output can be untrusted.
>
> We learned that we are not completely ready for fast release of security
> fixes. The time from vulnerability discovery to available fix, release, and
> announcement can and should be shorter.
>
> We encourage users who find possible security issues to notify
> security@...thon.org.
>
> Thanks!
>
> The Jupyter team
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ