Bug 16686 - ipython new XSS security issue fixed upstream (CVE-2015-6938)
Summary: ipython new XSS security issue fixed upstream (CVE-2015-6938)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/657409/
Whiteboard: MGA4TOO has_procedure advisory MGA4-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-09-02 15:22 CEST by David Walser
Modified: 2015-09-15 19:46 CEST (History)
3 users (show)

See Also:
Source RPM: ipython-2.3.0-2.2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-09-02 15:22:31 CEST
A CVE has been requested for an XSS issue fixed in IPython:
http://openwall.com/lists/oss-security/2015/09/02/3

Upstream commits for the 3.x and 4.x branches are linked, but they say 2.x is also vulnerable.

Reproducible: 

Steps to Reproduce:
David Walser 2015-09-02 15:22:40 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Philippe Makowski 2015-09-02 21:41:57 CEST
packages in 5/core/updates_testing :

python3-ipython-2.3.0-2.3.mga5.noarch
ipython-2.3.0-2.3.mga5.src
ipython-2.3.0-2.3.mga5.noarch
ipython-doc-2.3.0-2.3.mga5.noarch

packages in 4/core/updates_testing :
ipython-2.3.0-1.2.mga4.noarch
ipython-2.3.0-1.2.mga4.src

Cauldron patched with upstream patch

Whiteboard: MGA5TOO, MGA4TOO => MGA5TOO, MGA4TOO has_procedure

Comment 2 David Walser 2015-09-02 22:02:07 CEST
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13744#c1

Advisory pending CVE request.

Advisory:
========================

Updated ipython packages fix security vulnerability:

In IPython, local folder name was used in HTML templates without escaping,
allowing XSS in said pages by carefully crafting folder name and URL to access
it.

References:
http://openwall.com/lists/oss-security/2015/09/02/3

CC: (none) => makowski.mageia
Version: Cauldron => 5
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO has_procedure => MGA4TOO has_procedure

Comment 3 Lewis Smith 2015-09-09 22:22:48 CEST
Testing Mageia4 x64

Using existing:
 ipython-2.3.0-1.1.mga4 + python-matplotlib-1.3.0-7.mga4

From $ ipython I ran the tests in:
 http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Cell%20Magics.ipynb
In [2]: %matplotlib inline
UsageError: Invalid GUI request u'inline', valid ones are:['osx', 'qt4', 'glut', 'gtk3', 'pyglet', 'wx', 'none', 'qt', 'gtk', None, 'tk']
and adds 2  to the line count.
In [16]: adds another 1 to the line count.
Otherwise the results were as shown.

From $ ipython I ran the tests in:
 http://nbviewer.ipython.org/github/ipython/ipython/blob/master/examples/IPython%20Kernel/Script%20Magics.ipynb
In [8]: adds 1 to the line count.
In [14]: adds another 3 to the line count, and gives what looks like an invald result (every line has the same time); but I have seen this before.
Otherwise the results were as shown.

Updated to:
 ipython-2.3.0-1.2.mga4 (same mathplotlib)
and re-ran all the tests cited above. Results were the same, with the same provisos. So this update shows no regression or evident new errors; OK.

CC: (none) => lewyssmith
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK

Comment 4 David Walser 2015-09-14 23:25:11 CEST
Tested Mageia 4 i586 and Mageia 5 i586.  Didn't run every single test case, but more than enough to show that the package is still functional.

Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 5 David Walser 2015-09-14 23:49:03 CEST
This finally has CVE-2015-6938:
http://openwall.com/lists/oss-security/2015/09/14/2

Advisory:
========================

Updated ipython packages fix security vulnerability:

In IPython, local folder name was used in HTML templates without escaping,
allowing XSS in said pages by carefully crafting folder name and URL to access
it (CVE-2015-6938).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6938
http://openwall.com/lists/oss-security/2015/09/14/2

Summary: ipython new XSS security issue fixed upstream => ipython new XSS security issue fixed upstream (CVE-2015-6938)

Comment 6 claire robinson 2015-09-15 15:30:40 CEST
Validating. Advisory uploaded combining comment 1 & comment 5.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-09-15 16:56:18 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0372.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-15 19:46:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/657409/


Note You need to log in before you can comment on or make changes to this bug.