Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 19 Mar 2018 19:16:17 -0400
From: Gordo Lowrey <gordo@...eval.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: maliciously crafted notebook files in
 Jupyter

Obviously, running a python notebook from an untrusted party is a bad 
idea, since notebooks are litearlly code executors...

Sure, there is something to be said about *javascript* execution... but 
there are a plethora of addons for Python notebooks that generate 
Javascript on-demand. Especially for visualizations, etc...

Why is this a "vulnerability" necessarily?

Just curious...


On Mon, Mar 19, 2018 at 7:53 AM, Ricter Zheng <ricterzheng@...il.com> 
wrote:
> Hi Thomas Klutver,
> 
> I am a student from china major in information security, I'm very 
> interest
> about the vulnerability. I tried to reproduction the vulnerability but
> failed, so can you provide some technology detail about it?
> 
> Thank you.
> --
> Ricter Zheng
> 
> Thomas Kluyver <thomas@...yver.me.uk>于2018年3月15日周四 
> 下午10:27写道:
> 
>>  Email address of requester: security@...thon.org, 
>> thomas@...yver.me.uk,
>>  benjaminrk@...il.com, jkamens@...ntopian.com, 
>> ssanderson@...ntopian.com
>> 
>>  Software name: Jupyter Notebook (formerly IPython Notebook)
>>  Type of vulnerability: Maliciously forged file
>>  Attack outcome: Possible remote execution
>> 
>>  Vulnerability: A maliciously forged notebook file can bypass 
>> sanitization
>>  to execute Javascript in the notebook context. Specifically, 
>> invalid HTML
>>  is 'fixed' by jQuery after sanitization, making it dangerous.
>> 
>>  Affected versions:
>> 
>>  - notebook ≤ 5.4.0
>> 
>>  URI with issues:
>> 
>>  - GET /notebook/**
>> 
>>  Patches:  not yet finalised
>> 
>>  Mitigations:
>> 
>>  Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
>>  If using pip,
>> 
>>      pip install --upgrade notebook
>> 
>>  For conda:
>> 
>>      conda update conda
>>      conda update notebook
>> 
>>  Vulnerability reported by vkgonka@...l.ru , via Jonathan Kamens at
>>  Quantopian
>> 
>>  --
> Ricter Z

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ