|
Message-Id: <ABD7A6F5-D9A2-491C-9CFC-00BD7E6D658C@berkeley.edu> Date: Wed, 21 Sep 2016 12:03:03 -0400 From: Jamie Whitacre <whitacre@...keley.edu> To: Sylvain Corlay <sylvain.corlay@...il.com> Cc: oss-security@...ts.openwall.com, Fernando Perez <fperez@....gov>, Matthias Bussonnier <mbussonnier@...keley.edu> Subject: Re: CVE Request: ipywidgets executes untrusted JavaScript Hi Folks, Is this done? Thanks, Jamie > On Aug 11, 2016, at 9:08 AM, Sylvain Corlay <sylvain.corlay@...il.com> wrote: > > Hello everyone, > > I am following up on this CVE request. Did we miss something in how the request is formulated? > > Thanks, > > Sylvain > > On Fri, Jul 1, 2016 at 6:12 PM, Sylvain Corlay <sylvain.corlay@...il.com <mailto:sylvain.corlay@...il.com>> wrote: > Description > > ipywidgets version 5.1.5 (and the companion package widgetsnbextension 1.2.3) fixes a security vulnerability which affects the usage of ipywidgets in conjunction with the Jupyter Notebook. (The GitHub repository for the project is https://github.com/ipython/ipywidgets <https://github.com/ipython/ipywidgets>) > > Affected versions > > The affected versions of ipywidgets are: > > ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (and widgetsnbextension < 1.2.3), … > > Only users who installed ipywidgets using pip or from source on the GitHub repository are affected. > > Anaconda users are unaffected because the vulnerable version of ipywidget has never been released to the default conda channel. > > Resolution > > We recently released ipywidgets version 5.1.5 (widgetsnbextension version 1.2.3). You can check whether your system is affected by running the following command: > > >>> from distutils.version import LooseVersion as V > >>> import ipywidgets > >>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'): > >>> print("Upgrade ipywidgets to 5.1.5") > > If your system is vulnerable, you will see the following output: > > Upgrade ipywidgets to 5.1.5 > > If your system is vulnerable please upgrade to ipywidgets version 5.1.5. Use the following command to install: > > $ pip install "ipywidgets>=5.1.5" > > or > > $ conda install "ipywidgets>=5.1.5" > > Technical details > > The vulnerability was discovered following an investigation of a potential vulnerability reported by Brian Granger to the ipython-security mailing list (security@...thon.org <mailto:security@...thon.org>) on May 5. > > The reason for such behavior was determined on May 5 by Matthias Bussonnier. > > A fix was proposed written and reviewed, then [merged](https://github.com/ipython/ipywidgets/pull/591 <https://github.com/ipython/ipywidgets/pull/591>) into the development branch on May 20, and a non vulnerable version released on May 25. > > A widget snapshotting feature introduced in ipywidgets 5.0.0 (https://github.com/ipython/ipywidgets/pull/314/ <https://github.com/ipython/ipywidgets/pull/314/>) allowed untrusted javascript code to execute in an untrusted notebook on loading and saving of a notebook. A well crafted notebook could execute arbitrary code with the rights of the current user in the context of the page, the notebook server, and available kernels. > > We recommend immediate upgrade of the ipywidgets package. > > There is no simple configuration option that could mitigate the system for vulnerability. The user must upgrade to ipywidget version 5.1.5 or downgrade to 4.x. > > Future Plan > > The security issue resulted from the seemingly harmless combination of calls: > > json = cell.get_json() > json = update_json(json) > cell.clear_output() > cell.from_json() > > The clear_output() method has as a consequence to mark the cell as trusted (as it has no output that can potentially execute javascript). This is followed by the next call which can trigger JavaScript execution in the page context. > > We plan on improving the notebook API so that clear_output() does not change the trusted status of a cell (or a notebook), to prevent mistakes like this from having security consequences. This will lead to the slight behavior change that an empty cell with no output can be untrusted. > > We learned that we are not completely ready for fast release of security fixes. The time from vulnerability discovery to available fix, release, and announcement can and should be shorter. > > We encourage users who find possible security issues to notify security@...thon.org <mailto:security@...thon.org>. > > Thanks! > > The Jupyter team >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.