Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Aug 2016 09:08:05 -0400
From: Sylvain Corlay <sylvain.corlay@...il.com>
To: oss-security@...ts.openwall.com, Fernando Perez <fperez@....gov>, 
	Matthias Bussonnier <mbussonnier@...keley.edu>, Jamie Whitacre <whitacre@...keley.edu>
Subject: Re: CVE Request: ipywidgets executes untrusted JavaScript

Hello everyone,

I am following up on this CVE request. Did we miss something in how the
request is formulated?

Thanks,

Sylvain

On Fri, Jul 1, 2016 at 6:12 PM, Sylvain Corlay <sylvain.corlay@...il.com>
wrote:

> *Description*
>
> ipywidgets version 5.1.5 (and the companion package widgetsnbextension
> 1.2.3) fixes a security vulnerability which affects the usage of ipywidgets
> in conjunction with the Jupyter Notebook. (The GitHub repository for the
> project is https://github.com/ipython/ipywidgets)
>
> *Affected versions*
>
> The affected versions of ipywidgets are:
>
> ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (and widgetsnbextension < 1.2.3), …
>
> Only users who installed ipywidgets using pip or from source on the GitHub
> repository are affected.
>
> Anaconda users are unaffected because the vulnerable version of ipywidget
> has never been released to the default conda channel.
>
> *Resolution*
>
> We recently released ipywidgets version 5.1.5 (widgetsnbextension version
> 1.2.3). You can check whether your system is affected by running the
> following command:
>
>    >>> from distutils.version import LooseVersion as V
>    >>> import ipywidgets
>    >>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'):
>    >>>     print("Upgrade ipywidgets to 5.1.5")
>
> If your system is vulnerable, you will see the following output:
>
>     Upgrade ipywidgets to 5.1.5
>
> If your system is vulnerable please upgrade to ipywidgets version 5.1.5.
> Use the following command to install:
>
>    $ pip install "ipywidgets>=5.1.5"
>
> or
>
>    $ conda install "ipywidgets>=5.1.5"
>
> *Technical details*
>
> The vulnerability was discovered following an investigation of a potential
> vulnerability reported by Brian Granger to the ipython-security mailing
> list (security@...thon.org) on May 5.
>
> The reason for such behavior was determined on May 5 by Matthias
> Bussonnier.
>
> A fix was proposed written and reviewed, then [merged](https://github.com/
> ipython/ipywidgets/pull/591) into the development branch on May 20, and a
> non vulnerable version released on May 25.
>
> A widget snapshotting feature introduced in ipywidgets 5.0.0 (
> https://github.com/ipython/ipywidgets/pull/314/) allowed untrusted
> javascript code to execute in an untrusted notebook on loading and saving
> of a notebook.  A well crafted notebook could execute arbitrary code with
> the rights of the current user in the context of the page, the notebook
> server, and available kernels.
>
> We recommend immediate upgrade of the ipywidgets package.
>
> There is no simple configuration option that could mitigate the system for
> vulnerability. The user must upgrade to ipywidget version 5.1.5 or
> downgrade to 4.x.
>
> *Future Plan*
>
> The security issue resulted from the seemingly harmless combination of
> calls:
>
>     json = cell.get_json()
>     json = update_json(json)
>     cell.clear_output()
>     cell.from_json()
>
> The clear_output()  method has as a consequence to mark the cell as
> trusted (as it has no output that can potentially execute javascript). This
> is followed by the next call which can trigger JavaScript execution in the
> page context.
>
> We plan on improving the notebook API so that clear_output() does not
> change the trusted status of a cell (or a notebook), to prevent mistakes
> like this from having security consequences. This will lead to the slight
> behavior change that an empty cell with no output can be untrusted.
>
> We learned that we are not completely ready for fast release of security
> fixes. The time from vulnerability discovery to available fix, release, and
> announcement can and should be shorter.
>
> We encourage users who find possible security issues to notify
> security@...thon.org.
>
> Thanks!
>
> The Jupyter team
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.