Re: CVE Request: Maliciously crafted text files in IPython/Jupyter editor

[MinRK <benjaminrk () gmail com>]

Is there any more information needed to get a CVE assignment on this?

-MinRK

On Wed, Sep 16, 2015 at 3:02 PM, MinRK <benjaminrk () gmail com> wrote:

> Email address of requester: security () ipython org, benjaminrk () gmail com,
> rgbkrk () gmail com, jkamens () quantopian com, ssanderson () quantopian com
>
> Software name: IPython notebook / Jupyter notebook
> Type of vulnerability: Maliciously forged file
> Attack outcome: Possible remote execution
>
> Vulnerability: A maliciously forged file opened for editing can execute
> javascript, specifically by being redirected to /files/ due to a failure to
> treat the file as plain text.
>
> Affected versions:
>
> - IPython 3.0 ≤ version ≤ 3.2.1
> - notebook 4.0 ≤ 4.0.4
>
> URI with issues:
>
> - GET /edit/**
>
> Patches:
>
> - IPython 3.x: 0a8096adf165e2465550bd5893d7e352544e5967 (
> https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967
> )
> - Jupyter 4.0.x: 9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5 (
> https://github.com/jupyter/notebook/commit/9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5
> )
>
> Mitigations:
>
> Upgrade to IPython/Jupyter notebook 4.0.5, 4.1 or 3.2.2 once available.
> If using pip,
>
>     pip install --upgrade "ipython[notebook]<4.0"  # for 3.2.2
>     pip install --upgrade notebook # for 4.1 or 4.0.5
>
> For conda:
>
>     conda update conda
>     conda update ipython "ipython-notebook<4.0" # for 3.2.2
>     conda update notebook # for 4.1 or 4.0.5
>
> Vulnerability reported by Jonathan Kamens at Quantopian