Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816
Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python3-ipython/CVE-2023-24816.patch | 94 +++++++++++++++++++ .../python/python3-ipython_8.2.0.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch diff --git a/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch new file mode 100644 index 0000000000..e5f65fbb68 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch @@ -0,0 +1,94 @@ +From 06db417ff15192d73ddac4bf0e2f20579d47b2e0 Mon Sep 17 00:00:00 2001 +From: Konstantin Weddige <[email protected]> +Date: Sat, 3 Dec 2022 19:14:09 +0100 +Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code. + +Remove legacy code that might trigger a CVE. + +Currently set_term_title is only called with (semi-)trusted input that +contain the current working directory of the current IPython session. If +an attacker can control directory names, and manage to get a user cd +into this directory the attacker can execute arbitrary commands +contained in the folder names. + +Example: + + - On a windows machine where python is built without _ctypes, create + a folder called && echo "pwn" > pwn.txt. This can be done by for + example cloning a git repository. + - call toggled_set_term_title(True), (or have the preference to + true) + - Open IPython and cd into this directory. + - the folder now contain a pwn.txt, with pwn as content, despite the + user not asking for any code execution. + +Workaround: + + Set the configuration option + c.TerminalInteractiveShell.term_title_format='IPython' (or to any + other fixed, safe string). + +CVE: CVE-2023-24816 +Upstream-Status: Backport [https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + IPython/__init__.py | 2 +- + IPython/utils/terminal.py | 32 ++++++++------------------------ + 2 files changed, 9 insertions(+), 25 deletions(-) + +diff --git a/IPython/__init__.py b/IPython/__init__.py +index e12da90..20e6e48 100644 +--- a/IPython/__init__.py ++++ b/IPython/__init__.py +@@ -62,7 +62,7 @@ __version__ = release.version + version_info = release.version_info + # list of CVEs that should have been patched in this release. + # this is informational and should not be relied upon. +-__patched_cves__ = {"CVE-2022-21699"} ++__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"} + + + def embed_kernel(module=None, local_ns=None, **kwargs): +diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py +index 49fd3fe..d884799 100644 +--- a/IPython/utils/terminal.py ++++ b/IPython/utils/terminal.py +@@ -79,30 +79,14 @@ if os.name == 'posix': + _set_term_title = _set_term_title_xterm + _restore_term_title = _restore_term_title_xterm + elif sys.platform == 'win32': +- try: +- import ctypes +- +- SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW +- SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] +- +- def _set_term_title(title): +- """Set terminal title using ctypes to access the Win32 APIs.""" +- SetConsoleTitleW(title) +- except ImportError: +- def _set_term_title(title): +- """Set terminal title using the 'title' command.""" +- global ignore_termtitle +- +- try: +- # Cannot be on network share when issuing system commands +- curr = os.getcwd() +- os.chdir("C:") +- ret = os.system("title " + title) +- finally: +- os.chdir(curr) +- if ret: +- # non-zero return code signals error, don't try again +- ignore_termtitle = True ++ import ctypes ++ ++ SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW ++ SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] ++ ++ def _set_term_title(title): ++ """Set terminal title using ctypes to access the Win32 APIs.""" ++ SetConsoleTitleW(title) + + + def set_term_title(title): diff --git a/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb b/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb index 35af7dd4d8..197578ae41 100644 --- a/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING.rst;md5=59b20262b8663cdd094005bddf47af5f" PYPI_PACKAGE = "ipython" +SRC_URI += "file://CVE-2023-24816.patch" SRC_URI[sha256sum] = "70e5eb132cac594a34b5f799bd252589009905f05104728aea6a403ec2519dc1" RDEPENDS:${PN} = "\
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123164): https://lists.openembedded.org/g/openembedded-devel/message/123164 Mute This Topic: https://lists.openembedded.org/mt/117101977/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
