Bug 22780 - jupyter-notebook new security issue fixed upstream in 5.4.1 (CVE-2018-8768)
Summary: jupyter-notebook new security issue fixed upstream in 5.4.1 (CVE-2018-8768)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-15 23:47 CET by David Walser
Modified: 2018-03-26 22:22 CEST (History)
5 users (show)

See Also:
Source RPM: jupyter-notebook-5.0.0-1.mga7.src.rpm
CVE: CVE-2018-8768
Status comment:


Attachments

Description David Walser 2018-03-15 23:47:38 CET
A security fixed upstream in jupyter-notebook has been announced today (March 15):
http://openwall.com/lists/oss-security/2018/03/15/2

The issue will be fixed upstream in 5.4.1 and 5.5.

Mageia 5 and Mageia 6 may also be affected.
Comment 1 Marja Van Waes 2018-03-17 10:00:42 CET
Assigning to the Python stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => makowski.mageia, marja11

Comment 2 Stig-Ørjan Smelror 2018-03-18 14:40:49 CET
Cauldron has been updated to version 5.4.1.

CC: (none) => smelror

David Walser 2018-03-18 15:18:24 CET

Version: Cauldron => 6

Comment 3 David Walser 2018-03-18 15:20:00 CET
CVE assignment:
http://openwall.com/lists/oss-security/2018/03/18/1

Summary: jupyter-notebook new security issue fixed upstream in 5.4.1 => jupyter-notebook new security issue fixed upstream in 5.4.1 (CVE-2018-8768)

Comment 4 Stig-Ørjan Smelror 2018-03-18 20:40:54 CET
Advisory
========

jupyter-notebook has been updated to fix a security issue.

CVE-2018-8768: In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.


References
==========
https://nvd.nist.gov/vuln/detail/CVE-2018-8768
http://openwall.com/lists/oss-security/2018/03/15/2

Files
=====

Uploaded to core/updates_testing:

python3-jupyter-notebook-4.2.0-1.1.mga6
python2-jupyter-notebook-4.2.0-1.1.mga6
jupyter-notebook-4.2.0-1.1.mga6

from jupyter-notebook-4.2.0-1.1.mga6.src.rpm

CVE: (none) => CVE-2018-8768
Assignee: python => qa-bugs

Comment 5 Len Lawrence 2018-03-25 20:21:38 CEST
Mageia 6 :: x86_64

Documentation at: http://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html
or
https://media.readthedocs.org/pdf/jupyter-notebook/stable/jupyter-notebook.pdf
It is not easy to follow.

Installed the Core Release packages first and tinkered with the system for a couple of hours but made very little progress.  What it is is an interactive code environment which makes use of "kernels" to run code stored in 'cells'.  Cells can also contain Markup text, images and videos but it is not clear how data can be imported from elsewhere.  Cells can be cut and pasted but native cut and paste does not seem to be supported.  There is some discussion of this on the web.  I got as far as typing random text into a cell and tried to save it but could not find any corresponding file in the user directory tree.

The first step is to create a jupyter_notebook_config.py file in the .jupyter directory, with all the default settings commented out, using the following command:

$ jupyter-notebook --generate-config
Writing default config to: /home/lcl/.jupyter/jupyter_notebook_config.py
[lcl@vega ~]$ jupyter-notebook
[I 16:40:52.658 NotebookApp] Writing notebook server cookie secret to /run/user/1000/jupyter/notebook_cookie_secret
[W 16:40:52.679 NotebookApp] Widgets are unavailable. Please install widgetsnbextension or ipywidgets 4.0
[I 16:40:52.687 NotebookApp] Serving notebooks from local directory: /home/lcl
[I 16:40:52.687 NotebookApp] 0 active kernels 
[I 16:40:52.687 NotebookApp] The Jupyter Notebook is running at: http://localhost:8888/
[I 16:40:52.687 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).

Note that the command is 'jupyter-notebook', not 'jupyter notebook' as given in the documentation.
There does not seem to be a way to run it other than using the command line.
By default, a notebook server runs locally at 127.0.0.1:8888 and is accessible only from localhost.  Running jupyter-notebook without any changes to the default configuration displays the users home directory in a browser at localhost:8888/tree

Installed the updates.  By default, installing jupyter-notebook pulls in the python3 dependencies.

Since understanding how to use this is a life's work just confirming that the server runs is about all we can do.
I ran the jupyter-notebook command in a terminal and the home page came up in firefox.  Used the New button at the right hand side to select 'create a new python3 notebook'.  The view switched to a new tab with a notebook page named 'Untitled2' and a blank cell waiting for input.  I typed in a snippet of code from the documentation:

var cell = Jupyter.notebook.get_selected_cell();
var config = cell.config;
var patch = {
      CodeCell:{
        cm_config:{indentUnit:2}
      }
    }
config.update(patch)

Running this generated a syntax error message:

File "<ipython-input-1-bb0c3215449e>", line 1
  var cell = Jupyter.notebook.get_selected_cell();
         ^
SyntaxError: invalid syntax

This means little to me but it looks like ipython is involved.  It seems surprising that the code would not be interpreted as python3.  There might be a configuration setting covering that.  Just checked - nothing relevant.  Maybe it is not good python.

However, this does demonstrate that a kernel is running.
Closed down the notebook server and restarted it.  In firefox, navigated to the directory where the notebook was saved and selected Untitled2.ipynb, which is an ASCII file containing metadata for the notebook and the edited cell.  That brought up the cell with the error message.

This is about as far as I can take this.  On the face of it the application is working normally.  Leaving the OK for a while in case there is anybody with experience of this system who would care to comment.

CC: (none) => tarazed25

Len Lawrence 2018-03-26 10:54:21 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 6 Philippe Makowski 2018-03-26 11:54:58 CEST
(In reply to Len Lawrence from comment #5)
> This is about as far as I can take this.  On the face of it the application
> is working normally.  Leaving the OK for a while in case there is anybody
> with experience of this system who would care to comment.

Thanks for your efforts.

To do some test, you can for example download a notebook
curl -O https://raw.githubusercontent.com/jupyter/notebook/master/docs/source/examples/Notebook/Running%20Code.ipynb

and then do :
jupyter-notebook Running%20Code.ipynb

and play with the notebook.
Comment 7 Len Lawrence 2018-03-26 12:23:02 CEST
Thanks for the link Philippe.  Shall have a look at that later.
Comment 8 Len Lawrence 2018-03-26 12:44:37 CEST
Just to confirm the OK downloaded the notebook suggested in comment 6, placing it in ~/.jupyter and ran jupyter-notebook from there.

Tried replicating cells and moving cells about.  Ran code using the Ctrl and Alt shortcuts.  Inserted new code in blank cell 'print(a+a)' and ran it; result 20 appeared below the cell.  Interrupted the kernel and also crashed the kernel and responded to the automatic restart message.

Typed Ctrl-C twice to close down.
64-bit OK.
Comment 9 Len Lawrence 2018-03-26 13:25:07 CEST
Oops; looks like this is not finished yet.  Forgot about python2.  The packages had been installed but there seems to be only one notebook script in /bin and that runs under python3:

#!/usr/bin/python3
# EASY-INSTALL-ENTRY-SCRIPT: 'notebook==4.2.0','console_scripts','jupyter-notebook'

No pointers from 'jupyter-notebook --help-all' but googling indicates that a new kernel may need to be generated.  Looking into that just now.

Whiteboard: MGA6-64-OK => (none)

Comment 10 Len Lawrence 2018-03-26 13:31:06 CEST
The kernel can be changed on the fly from the running notebook menu but it needs to be generated first.
Comment 11 Len Lawrence 2018-03-26 14:12:42 CEST
$ sudo urpmi python-pip
$ sudo python2 -m pip install --upgrade ipykernel

That seemed to run smoothly enough but cannot be sure of the end result:
.........................
Python sys.version_info(major=2, minor=7, micro=13, releaselevel='final', serial=0) detected.
    Your pip version is out of date, please install pip >= 9.0.1. pip 8.0.2 detected.
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-I9Wrwu/ipython
You are using pip version 8.0.2, however version 9.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
$ sudo python2 -m ipykernel install
Installed kernelspec python2 in /usr/local/share/jupyter/kernels/python2

However, restarting the notebook showed python2 available so I switched.
Worked through similar tests on the demonstration notebook.  All is well.

Whiteboard: (none) => MGA6-64-OK

Comment 12 Lewis Smith 2018-03-26 15:23:05 CEST
Thanks Len for the test. Advisoried & validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-03-26 22:22:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0182.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.