Bug 30699 - python-jupyterlab new security issue CVE-2021-32797
Summary: python-jupyterlab new security issue CVE-2021-32797
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-03 01:03 CEST by David Walser
Modified: 2023-02-27 21:28 CET (History)
6 users (show)

See Also:
Source RPM: python-jupyterlab-3.0.12-3.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-08-03 01:03:02 CEST
openSUSE has issued an advisory today (August 2):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VZGF2ZZFSQOBN7NRPXC3MMQXPLYLS2IH/

The issue is fixed upstream in 2.2.10 and 3.0.17:
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx

Mageia 8 is also affected.
David Walser 2022-08-03 01:03:32 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.2.10 and 3.0.17

Comment 1 Bruno Cornec 2022-09-05 22:10:23 CEST
3.0.17 pushed to cauldron

CC: (none) => bruno
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8

Comment 2 Bruno Cornec 2022-09-05 22:47:21 CEST
2.2.10 pushed as well to testing_updates for mga8
Hopefully the move from 2.1.2 to 2.2.10 won't create issues.

Assignee: python => qa-bugs

Comment 3 David Walser 2022-09-05 23:07:20 CEST
jupyter-jupyterlab-2.2.10-1.mga8
python3-jupyterlab-2.2.10-1.mga8

from python-jupyterlab-2.2.10-1.mga8.src.rpm

Status comment: Fixed upstream in 2.2.10 and 3.0.17 => (none)

Comment 4 Len Lawrence 2022-09-08 01:11:21 CEST
mga8, x64

Installed Core components.
Local documentation:
/usr/share/doc/jupyter-jupyterlab-server/README.md
/usr/share/doc/python3-jupyter-client/README.md
/usr/share/doc/python3-jupyter-core/README.md

Information only:
One of these indicates that sphinx is used to handle or generate local documentation.
Some sphinx components are already there but sphinx-2.3.2 can be installed.
Could not locate any jupyter_core/docs - maybe that is something extra to download.  Once  jupyter_core/docs is established the web documentation can be generated from that folder using `make html linkcheck`.  
A browser would find it at e.g. file:///my/projects/jupyter\_core/docs/\_build/html/index.html

Had a stab at starting python3-jupyter-client - not successful.
------------------------------------------------------------------------------

$ rpm -qa | grep jupyterlab
python3-jupyterlab-2.1.2-5.mga8
jupyter-jupyterlab-filesystem-20190823-4.mga8
jupyter-jupyterlab-2.1.2-5.mga8
jupyter-jupyterlab-server-1.1.4-2.mga8

Tried to update via qarepo/MageiaUpdate but failed.
$ ls <localrepo>/x86_64
jupyter-jupyterlab-2.2.10-1.mga8.noarch.rpm
python3-jupyterlab-2.2.10-1.mga8.noarch.rpm

$ MageiaUpdate
Sorry, the following packages cannot be selected:

- jupyter-jupyterlab-2.2.10-1.mga8.noarch
- python3-jupyterlab-2.2.10-1.mga8.noarch (due to unsatisfied python3.8dist(jupyterlab-server)[>= 1.1.5])

CC: (none) => tarazed25

Comment 5 Dave Hodgins 2022-09-08 02:25:20 CEST
$ urpmq --provides  jupyter-jupyterlab-server
jupyter-jupyterlab-launcher[== 1.1.4]
jupyter-jupyterlab-server[== 1.1.4-2.mga8]
python3-jupyter_jupyterlab_launcher[== 1.1.4]
python3-jupyter_jupyterlab_server[== 1.1.4]
python3-jupyterlab-server[== 1.1.4]
python3.8dist(jupyterlab-server)[== 1.1.4]
python3dist(jupyterlab-server)[== 1.1.4]

Looks like jupyter-jupyterlab-server will have to be updated too.

CC: (none) => davidwhodgins

Dave Hodgins 2022-09-08 03:13:47 CEST

Keywords: (none) => feedback

Comment 6 papoteur 2023-02-18 09:51:13 CET
Added jupyter-jupyterlab-server-1.1.5-1.mga8.noarch
Installed it with 
  jupyter-jupyterlab             2.2.10       1.mga8        noarch  
  python3-jupyterlab             2.2.10       1.mga8        noarch
Launched jupyter-lab
A new tab opens in Firefox.
Opened a previously saved notebook. Opens fine.

CC: (none) => yves.brungard_mageia

Comment 7 Len Lawrence 2023-02-20 20:50:23 CET
Updated OK this time.
Started jupyter-lab from a terminal and opened a file tab in Firefox at the suggested URL.  No real idea what was going on but pasted a python script into the input panel and clicked on run.  That worked - Eratosthenes sieve over the range 1-300.
Saved the notebook and closed the server with Ctrl-C.  Could not find the file in user directory or .local/share/jupyter.
Started it again and exported the notebook page as HTML.  That appeared in the Downloads directory and could be displayed in the browser directly, code and results. 

So, something is working but taking this any further would require rather too much time.

Far from satisfactory - giving this a tentative OK.

Whiteboard: (none) => MGA8-64-OK
Keywords: feedback => (none)

Comment 8 Thomas Andrews 2023-02-23 23:49:17 CET
Nobody's come forth asking for more, so I'm validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 19:44:42 CET

Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-02-27 21:28:53 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0060.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.