Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560708 (CVE-2015-7337) - <dev-python/ipython-3.2.1-r1: Maliciously crafted files can be executed due to wrong file type determination (CVE-2015-7337)
Summary: <dev-python/ipython-3.2.1-r1: Maliciously crafted files can be executed due t...
Alias: CVE-2015-7337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2015-09-17 13:02 UTC by Agostino Sarubbo
Modified: 2015-12-17 16:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-17 13:02:59 UTC
From ${URL} :

A vulnerability in IPython allowing maliciously forged file to be opened for editing that could 
execute javascript code, specifically by being redirected to /files/ due to the mistakenly treating 
the file as plain text. Versions >= 3.0 and <= 3.2.1 of IPython are affected.

Upstream patch:

CVE request:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 13:18:31 UTC
@marbre, could you please see whether there is any chance to get a fix for <ipython-4 into the tree? And if so, please send a PR
Comment 2 Marius Brehler 2015-09-17 15:23:00 UTC
Done for ipython 3.2.0 and 3.2.1 (now both -r1).
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 18:38:54 UTC
commit c1ffdebd962ee305a51efc42433c42ce27ab814b
Author: Justin Lecher <>
Date:   Thu Sep 17 20:37:02 2015 +0200

    Merge branch 'marbre-ipython'

    * marbre-ipython:
      dev-python/ipython: Fix security issue

    Github: Closes gentoo/gentoo#100

    Signed-off-by: Justin Lecher <>
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-09-17 18:40:14 UTC
@arches, please stable

Comment 5 Agostino Sarubbo gentoo-dev 2015-09-18 07:43:10 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-18 07:43:41 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-20 08:40:04 UTC
Stable for PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-09-22 09:01:18 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2015-09-22 09:25:17 UTC
commit 109af39f8885db800c3a13931c80d31d83939d9d
Author: Justin Lecher <>
Date:   Tue Sep 22 11:24:37 2015 +0200
    dev-python/ipython: Drop vulnerable version
    Package-Manager: portage-2.2.21
    Signed-off-by: Justin Lecher <>
Comment 10 Justin Lecher (RETIRED) gentoo-dev 2015-09-22 09:25:29 UTC
@sec, all clean now.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-09-24 01:15:45 UTC
Maintainer(s), Thank you for you for cleanup.

New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-17 16:48:07 UTC
This issue was resolved and addressed in
 GLSA 201512-02 at
by GLSA coordinator Yury German (BlueKnight).