Bug#755263: marked as done (wheezy-pu: package ipython/0.13.1-2+deb7u1)

Sat, 18 Oct 2014 04:30:08 -0700 

Your message dated Sat, 18 Oct 2014 12:06:30 +0100
with message-id <E1XfRqA-0002Rl-BV@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #755263,
regarding wheezy-pu: package ipython/0.13.1-2+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
755263: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755263
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Hi release team

I would like to update ipython in wheezy to fix CVE-2014-3429
It is a remote execution flaw via cross origin websockets, but one
requires a uuid from the process in order to make use of it so it was
decided by the security team that its severe enough for a DSA.
But it should stil be fixed in stable just in case.

See this page for details of the issue:
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

diff -Nru ipython-0.13.1/debian/changelog ipython-0.13.1/debian/changelog
--- ipython-0.13.1/debian/changelog	2012-11-25 20:04:22.000000000 +0100
+++ ipython-0.13.1/debian/changelog	2014-07-16 20:29:04.000000000 +0200
@@ -1,3 +1,9 @@
+ipython (0.13.1-2+deb7u1) stable-security; urgency=medium
+
+  * Fix CVE-2014-3429: remote execution via cross origin websocket
+
+ -- Julian Taylor <jtaylor.deb...@googlemail.com>  Wed, 16 Jul 2014 20:27:50 +0200
+
 ipython (0.13.1-2) unstable; urgency=low
 
   * update watch file to use github directly
diff -Nru ipython-0.13.1/debian/patches/CVE-2014-3429.patch ipython-0.13.1/debian/patches/CVE-2014-3429.patch
--- ipython-0.13.1/debian/patches/CVE-2014-3429.patch	1970-01-01 01:00:00.000000000 +0100
+++ ipython-0.13.1/debian/patches/CVE-2014-3429.patch	2014-07-16 20:27:40.000000000 +0200
@@ -0,0 +1,60 @@
+Description: check origin of websocket connection CVE-2014-3429
+Origin: https://github.com/ipython/ipython/pull/4845
+
+--- a/IPython/frontend/html/notebook/handlers.py
++++ b/IPython/frontend/html/notebook/handlers.py
+@@ -16,6 +16,11 @@ Authors:
+ # Imports
+ #-----------------------------------------------------------------------------
+ 
++try:
++    from urllib.parse import urlparse # Py 3
++except ImportError:
++    from urlparse import urlparse # Py 2
++
+ import logging
+ import Cookie
+ import time
+@@ -368,6 +373,30 @@ class KernelActionHandler(AuthenticatedH
+ 
+ class ZMQStreamHandler(websocket.WebSocketHandler):
+ 
++    def same_origin(self):
++        """Check to see that origin and host match in the headers."""
++
++        # The difference between version 8 and 13 is that in 8 the
++        # client sends a "Sec-Websocket-Origin" header and in 13 it's
++        # simply "Origin".
++        if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
++            origin_header = self.request.headers.get("Sec-Websocket-Origin")
++        else:
++            origin_header = self.request.headers.get("Origin")
++
++        host = self.request.headers.get("Host")
++
++        # If no header is provided, assume we can't verify origin
++        if(origin_header is None or host is None):
++            return False
++
++        parsed_origin = urlparse(origin_header)
++        origin = parsed_origin.netloc
++
++        # Check to see that origin matches host directly, including ports
++        return origin == host
++
++
+     def _reserialize_reply(self, msg_list):
+         """Reserialize a reply message using JSON.
+ 
+@@ -409,6 +438,11 @@ class ZMQStreamHandler(websocket.WebSock
+ class AuthenticatedZMQStreamHandler(ZMQStreamHandler):
+ 
+     def open(self, kernel_id):
++        # Check to see that origin matches host directly, including ports
++        if not self.same_origin():
++            self.log.warn("Cross Origin WebSocket Attempt.")
++            raise web.HTTPError(404)
++
+         self.kernel_id = kernel_id.decode('ascii')
+         try:
+             cfg = self.application.ipython_app.config
diff -Nru ipython-0.13.1/debian/patches/series ipython-0.13.1/debian/patches/series
--- ipython-0.13.1/debian/patches/series	2012-11-25 20:04:22.000000000 +0100
+++ ipython-0.13.1/debian/patches/series	2014-07-16 20:26:58.000000000 +0200
@@ -5,3 +5,4 @@
 use-system-mathjax-if-available.patch
 parallel-2to3.patch
 shared-static-path.patch
+CVE-2014-3429.patch

--- End Message ---
--- Begin Message --- 
Version: 7.7

The upload discussed in this bug was included in the 7.7 point release.

Regards,

Adam

--- End Message ---

Reply via email to