Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 1 Jul 2016 18:12:46 -0400
From: Sylvain Corlay <sylvain.corlay@...il.com>
To: oss-security@...ts.openwall.com, Fernando Perez <fperez@....gov>, 
	Matthias Bussonnier <mbussonnier@...keley.edu>, Jamie Whitacre <whitacre@...keley.edu>
Subject: CVE Request: ipywidgets executes untrusted JavaScript

*Description*

ipywidgets version 5.1.5 (and the companion package widgetsnbextension
1.2.3) fixes a security vulnerability which affects the usage of ipywidgets
in conjunction with the Jupyter Notebook. (The GitHub repository for the
project is https://github.com/ipython/ipywidgets)

*Affected versions*

The affected versions of ipywidgets are:

ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (and widgetsnbextension < 1.2.3), …

Only users who installed ipywidgets using pip or from source on the GitHub
repository are affected.

Anaconda users are unaffected because the vulnerable version of ipywidget
has never been released to the default conda channel.

*Resolution*

We recently released ipywidgets version 5.1.5 (widgetsnbextension version
1.2.3). You can check whether your system is affected by running the
following command:

   >>> from distutils.version import LooseVersion as V
   >>> import ipywidgets
   >>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'):
   >>>     print("Upgrade ipywidgets to 5.1.5")

If your system is vulnerable, you will see the following output:

    Upgrade ipywidgets to 5.1.5

If your system is vulnerable please upgrade to ipywidgets version 5.1.5.
Use the following command to install:

   $ pip install "ipywidgets>=5.1.5"

or

   $ conda install "ipywidgets>=5.1.5"

*Technical details*

The vulnerability was discovered following an investigation of a potential
vulnerability reported by Brian Granger to the ipython-security mailing
list (security@...thon.org) on May 5.

The reason for such behavior was determined on May 5 by Matthias Bussonnier.

A fix was proposed written and reviewed, then [merged](
https://github.com/ipython/ipywidgets/pull/591) into the development branch
on May 20, and a non vulnerable version released on May 25.

A widget snapshotting feature introduced in ipywidgets 5.0.0 (
https://github.com/ipython/ipywidgets/pull/314/) allowed untrusted
javascript code to execute in an untrusted notebook on loading and saving
of a notebook.  A well crafted notebook could execute arbitrary code with
the rights of the current user in the context of the page, the notebook
server, and available kernels.

We recommend immediate upgrade of the ipywidgets package.

There is no simple configuration option that could mitigate the system for
vulnerability. The user must upgrade to ipywidget version 5.1.5 or
downgrade to 4.x.

*Future Plan*

The security issue resulted from the seemingly harmless combination of
calls:

    json = cell.get_json()
    json = update_json(json)
    cell.clear_output()
    cell.from_json()

The clear_output()  method has as a consequence to mark the cell as trusted
(as it has no output that can potentially execute javascript). This is
followed by the next call which can trigger JavaScript execution in the
page context.

We plan on improving the notebook API so that clear_output() does not
change the trusted status of a cell (or a notebook), to prevent mistakes
like this from having security consequences. This will lead to the slight
behavior change that an empty cell with no output can be untrusted.

We learned that we are not completely ready for fast release of security
fixes. The time from vulnerability discovery to available fix, release, and
announcement can and should be shorter.

We encourage users who find possible security issues to notify
security@...thon.org.

Thanks!

The Jupyter team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.