Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560708 (CVE-2015-7337)

Summary: <dev-python/ipython-3.2.1-r1: Maliciously crafted files can be executed due to wrong file type determination (CVE-2015-7337)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: marius.brehler+gentoo, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1264067
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-09-17 13:02:59 UTC 
From ${URL} :

A vulnerability in IPython allowing maliciously forged file to be opened for editing that could 
execute javascript code, specifically by being redirected to /files/ due to the mistakenly treating 
the file as plain text. Versions >= 3.0 and <= 3.2.1 of IPython are affected.

Upstream patch:

https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967

CVE request:

http://seclists.org/oss-sec/2015/q3/558


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 13:18:31 UTC 
@marbre, could you please see whether there is any chance to get a fix for <ipython-4 into the tree? And if so, please send a PR
Comment 2 Marius Brehler 2015-09-17 15:23:00 UTC 
Done for ipython 3.2.0 and 3.2.1 (now both -r1).
https://github.com/gentoo/gentoo/pull/100
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 18:38:54 UTC 
commit c1ffdebd962ee305a51efc42433c42ce27ab814b
Author: Justin Lecher <jlec@gentoo.org>
Date:   Thu Sep 17 20:37:02 2015 +0200

    Merge branch 'marbre-ipython'

    * marbre-ipython:
      dev-python/ipython: Fix security issue

    Github: Closes gentoo/gentoo#100

    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1ffdebd962ee305a51efc42433c42ce27ab814b
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 18:40:14 UTC 
@arches, please stable

dev-python/ipython-3.2.1-r1
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-18 07:43:10 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-18 07:43:41 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-20 08:40:04 UTC 
Stable for PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-09-22 09:01:18 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2015-09-22 09:25:17 UTC 
commit 109af39f8885db800c3a13931c80d31d83939d9d
Author: Justin Lecher <jlec@gentoo.org>
Date:   Tue Sep 22 11:24:37 2015 +0200
    
    dev-python/ipython: Drop vulnerable version
    
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=560708
    
    Package-Manager: portage-2.2.21
    Signed-off-by: Justin Lecher <jlec@gentoo.org>
    
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=109af39f8885db800c3a13931c80d31d83939d9d
Comment 10 Justin Lecher (RETIRED) gentoo-dev 2015-09-22 09:25:29 UTC 
@sec, all clean now.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-09-24 01:15:45 UTC 
Maintainer(s), Thank you for you for cleanup.

New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-17 16:48:07 UTC 
This issue was resolved and addressed in
 GLSA 201512-02 at https://security.gentoo.org/glsa/201512-02
by GLSA coordinator Yury German (BlueKnight).