Bug 30789 - jupyter-notebook new security issues CVE-2022-24758 and CVE-2022-29238
Summary: jupyter-notebook new security issues CVE-2022-24758 and CVE-2022-29238
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 30664
  Show dependency treegraph
 
Reported: 2022-08-30 23:33 CEST by David Walser
Modified: 2022-09-10 22:28 CEST (History)
5 users (show)

See Also:
Source RPM: jupyter-notebook-6.3.0-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-30 23:33:15 CEST 
Ubuntu has issued an advisory today (August 30):
https://ubuntu.com/security/notices/USN-5585-1

The issues are fixed upstream in 6.4.12.

Mageia 8 is also affected.
David Walser 2022-08-30 23:33:45 CEST

Blocks: (none) => 30664
Status comment: (none) => Fixed upstream in 6.4.12
Whiteboard: (none) => MGA8TOO

Comment 2 papoteur 2022-08-31 09:21:56 CEST 
Updated in cauldron

Whiteboard: MGA8TOO => (none)
QA Contact: security => yves.brungard_mageia
Version: Cauldron => 8
CC: (none) => yves.brungard_mageia

Comment 3 papoteur 2022-08-31 13:05:44 CEST 
I applied patches:
https://github.com/jupyter/notebook/commit/c219ce43c1ea25123fa70d264e7735bdf4585b1e
and https://github.com/jupyter/notebook/commit/a161ffac6bfff2491fe5c4e9f6111256b8b57f08

jupyter-notebook-6.1.6-2.mga8.noarch
python-jupyter-notebook-6.1.6-2.mga8.noarch

Source:
jupyter-notebook-6.1.6
Comment 4 David Walser 2022-08-31 23:29:08 CEST 
Thanks.  Bug 30664 still needs to be addressed (at least for this package).

Status comment: Fixed upstream in 6.4.12 => (none)

Comment 5 papoteur 2022-09-06 08:44:35 CEST 
The release 6.4.12 needs to import 2 new python modules in Mageia 8. This is why I had a preference to just patch 6.1.6.
But now,  Bug 30664 is not so easy to correct with patch.
Is the import of new modules a valid way?
Comment 6 David Walser 2022-09-06 13:18:56 CEST 
As long as the update isn't too disruptive a change for users, yes, it can be.
Comment 7 papoteur 2022-09-07 08:38:33 CEST 
Thus I updated to 6.4.12:
jupyter-notebook-6.4.12-1.mga8
python-jupyter-notebook-6.4.12-1.mga8
python3-send2trash-1.8.0-1.mga8
python3-nest-asyncio-1.5.5-1.mga8

Assignee: python => qa-bugs

Comment 8 David Walser 2022-09-07 14:48:25 CEST 
SRPMS:
jupyter-notebook-6.4.12-1.mga8.src.rpm
python-send2trash-1.8.0-1.mga8.src.rpm
python-nest-asyncio-1.5.5-1.mga8.src.rpm
Comment 9 Len Lawrence 2022-09-07 20:01:52 CEST 
mga8, x64
Checked report for bug 27705.
Installed the release packages and made sure that the notebook server started OK.  Running the command `jupyter-notebook` opened a page in the browser pointing at the user's start directory (under Files).  The Running tab said that no terminals were running and no notebooks.  The server was running in a terminal though.

Updated the four packages.
Restarted
$ jupyter-notebook
[I 18:13:58.575 NotebookApp] Serving notebooks from local directory: /home/lcl/qa/jupyter-notebook
[I 18:13:58.575 NotebookApp] Jupyter Notebook 6.4.12 is running at:
[I 18:13:58.575 NotebookApp] http://localhost:8888/?token=3a455569767287e5a19731dde452dde89d0ccae45057e07c
[I 18:13:58.575 NotebookApp]  or http://127.0.0.1:8888/?token=3a455569767287e5a19731dde452dde89d0ccae45057e07c
[I 18:13:58.575 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 18:13:58.595 NotebookApp] 
    
    To access the notebook, open this file in a browser:
        file:///home/lcl/.local/share/jupyter/runtime/nbserver-328198-open.html
    Or copy and paste one of these URLs:
        http://localhost:8888/?token=3a455569767287e5a19731dde452dde89d0ccae45057e07c
     or http://127.0.0.1:8888/?token=3a455569767287e5a19731dde452dde89d0ccae45057e07c

This opens the user directory in a browser..
Using the suggested link from above opens the same directory under the Files tab and so does the token URL at localhost:8088.

It is all consistent.
The Youtube tutorial is unintelligble, running at breakneck speed without any subtitles (for the hard of hearing like me) so it is impossible to follow.  The text is illegible as well.

There is an untitled.txt file here with this content:

var cell = Jupyter.notebook.get_selected_cell();
var config = cell.config;
var patch = {
      CodeCell:{
        cm_config:{indentUnit:2}
      }
    }
config.update(patch)

which looks like it is supposed to run within the notebook framework.  There is also Untitled.ipynb which seems to contain the same code with a notebook harness.  Clicking on it opens another browser page displaying the file with runtime diagnostics.  A menu bar appears with various symbols and the directive 'run' and 'code' offering some options.

It is all meaningless without a proper background but looks like it might be working so this can go out.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

David Walser 2022-09-07 20:08:19 CEST

QA Contact: yves.brungard_mageia => security

Comment 10 David Walser 2022-09-07 20:08:58 CEST 
Advisory note: this update fixes this bug and Bug 30664 for this package.
Comment 11 Thomas Andrews 2022-09-08 02:34:23 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-08 18:36:53 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2022-09-10 22:28:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0323.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.