Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517222 (CVE-2014-3429) - <dev-python/ipython-1.3: cross-domain websocket hijacking vulnerability (CVE-2014-3429)
Summary: <dev-python/ipython-1.3: cross-domain websocket hijacking vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2014-3429
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-16 08:00 UTC by Agostino Sarubbo
Modified: 2015-03-18 17:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-16 08:00:34 UTC 
From ${URL} :

It was reported [1],[2] that IPython's Notebook server suffered from a flaw where it did not verify 
the origin of websocket requests.  An attacker with knowledge of the IPython kernel ID could run 
arbitrary code on a user's machine with the privileges of the user running the IPython Notebook 
server, if the client visited a crafted malicious page.  This was corrected upstream [3] in the 
2.0.0 release [4].  Further details on the flaw were also published [5].

The report that indicates versions 0.12 through to the fixed 2.0.0 release are vulnerable to this 
flaw.  As a result, the version of IPython shipped with EPEL5 (0.8.4) is not vulnerable to this 
issue as the vulnerable websocket code is not present.


[1] http://openwall.com/lists/oss-security/2014/07/15/2
[2] http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
[3] https://github.com/ipython/ipython/pull/4845
[4] http://ipython.org/ipython-doc/stable/whatsnew/github-stats-2.0.html
[5] http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-10-15 21:56:02 UTC 
CVE-2014-3429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3429):
  IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of
  websocket requests, which allows remote attackers to execute arbitrary code
  by leveraging knowledge of the kernel id and a crafted page.
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-03-13 15:11:12 UTC 
+*ipython-2.4.1 (13 Mar 2015)
+
+  13 Mar 2015; Justin Lecher <jlec@gentoo.org> +ipython-2.4.1.ebuild,
+  -files/62ipython-gentoo.el, -files/ipython-0.12-globalpath.patch,
+  -files/ipython-0.13-umlaut.patch, -files/ipython-0.9.1-globalpath.patch,
+  -files/ipython-1.0.0-setuptools.patch, -ipython-0.10.2.ebuild,
+  -ipython-1.0.0.ebuild, -ipython-1.2.1.ebuild, -ipython-2.4.0.ebuild,
+  ipython-2.2.0.ebuild, ipython-3.0.0.ebuild:
+  Version Bump, bug #539578; fix SLOT operators loosen USE constraints for
+  USE=doc, bug #542426; don't build API docs for iypthon-3 due to missing
+  buildtime deps, bug #541832; drop old fixes CVE-2014-3429 bug #517222 and
+  obsolets bug #486880, bug #489372, bug #489384, bug #428170, bug #407823, bug
+  #407715, bug #490166, bug #456960, bug #483580, bug #530324, bug #536386 and
+  bug #481726
+
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-03-13 15:11:25 UTC 
@security, tree is clean.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-13 17:36:27 UTC 
(In reply to Justin Lecher from comment #3)
> @security, tree is clean.

Thanks.

GLSA Vote: No
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 17:52:22 UTC 
GLSA vote: no.

Closing as [noglsa]