'Re: [oss-security] CVE request: maliciously crafted notebook files in Jupyter'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: maliciously crafted notebook files in Jupyter
From:       Gordo Lowrey <gordo () zeneval ! com>
Date:       2018-03-19 23:16:17
Message-ID: 1521501377.17063.0 () smtp ! gmail ! com
[Download RAW message or body]


Obviously, running a python notebook from an untrusted party is a bad 
idea, since notebooks are litearlly code executors...

Sure, there is something to be said about *javascript* execution... but 
there are a plethora of addons for Python notebooks that generate 
Javascript on-demand. Especially for visualizations, etc...

Why is this a "vulnerability" necessarily?

Just curious...


On Mon, Mar 19, 2018 at 7:53 AM, Ricter Zheng <ricterzheng@gmail.com> 
wrote:
> Hi Thomas Klutver,
> 
> I am a student from china major in information security, I'm very 
> interest
> about the vulnerability. I tried to reproduction the vulnerability but
> failed, so can you provide some technology detail about it?
> 
> Thank you.
> --
> Ricter Zheng
> 
> Thomas Kluyver <thomas@kluyver.me.uk>于2018年3月15日周四 
> 下午10:27写道：
> 
>>  Email address of requester: security@ipython.org, 
>> thomas@kluyver.me.uk,
>>  benjaminrk@gmail.com, jkamens@quantopian.com, 
>> ssanderson@quantopian.com
>> 
>>  Software name: Jupyter Notebook (formerly IPython Notebook)
>>  Type of vulnerability: Maliciously forged file
>>  Attack outcome: Possible remote execution
>> 
>>  Vulnerability: A maliciously forged notebook file can bypass 
>> sanitization
>>  to execute Javascript in the notebook context. Specifically, 
>> invalid HTML
>>  is 'fixed' by jQuery after sanitization, making it dangerous.
>> 
>>  Affected versions:
>> 
>>  - notebook ≤ 5.4.0
>> 
>>  URI with issues:
>> 
>>  - GET /notebook/**
>> 
>>  Patches:  not yet finalised
>> 
>>  Mitigations:
>> 
>>  Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
>>  If using pip,
>> 
>>      pip install --upgrade notebook
>> 
>>  For conda:
>> 
>>      conda update conda
>>      conda update notebook
>> 
>>  Vulnerability reported by vkgonka@mail.ru , via Jonathan Kamens at
>>  Quantopian
>> 
>>  --
> Ricter Z


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic