831510 – (CVE-2022-21699) <dev-python/ipython-{7.31.1,8.0.1}: potential Execution with Unnecessary Privileges

Bug 831510 (CVE-2022-21699) - <dev-python/ipython-{7.31.1,8.0.1}: potential Execution with Unnecessary Privileges

Summary: <dev-python/ipython-{7.31.1,8.0.1}: potential Execution with Unnecessary Priv...

Status:	IN_PROGRESS

Alias:	CVE-2022-21699

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa? cleanup]
Keywords:

Depends on:	831511
Blocks:
	Show dependency tree

Reported:	2022-01-19 22:25 UTC by Michał Górny
Modified:	2022-01-21 01:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-01-19 22:25:22 UTC

IPython 8.0.1 (CVE-2022-21699)
------------------------------

IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some default
values in order to prevent potential Execution with Unnecessary Privileges.

Almost all version of IPython looks for configuration and profiles in current
working directory. Since IPython was developed before pip and environments
existed it was used a convenient way to load code/packages in a project
dependant way.

In 2022, it is not necessary anymore, and can lead to confusing behavior where
for example cloning a repository and starting IPython or loading a notebook from
any Jupyter-Compatible interface that has ipython set as a kernel can lead to
code execution.

Comment 1 John Helmert III archtester

2022-01-19 23:50:58 UTC

Thank you for reporting!

Comment 2 Michał Górny archtester

2022-01-20 14:03:20 UTC

cleanup done.