[Bugs] [Bug 13543] New: [CVE 21] ipython 7.34.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:20:52 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13543

          Platform: 2021.1
            Bug ID: 13543
           Summary: [CVE 21] ipython 7.34.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-24816,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package ipython version 7.34.0

INFO (CVEs are): ipython 7.34.0
 cves found
CVE-2023-24816
Desc: IPython (Interactive Python) is a command shell for interactive computing
in multiple programming languages, originally developed for the Python
programming language. Versions prior to 8.1.0 are subject to a command
injection vulnerability with very specific prerequisites. This vulnerability
requires that the function `IPython.utils.terminal.set_term_title` be called on
Windows in a Python environment where ctypes is not available. The dependency
on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from
ever being reached in the ipython binary. However, as a library that could be
used by another tool `set_term_title` could be called and hence introduce a
vulnerability. Should an attacker get untrusted input to an instance of this
function they would be able to inject shell commands as current process and
limited to the scope of the current process. Users of ipython as a library are
advised to upgrade. Users unable to upgrade should ensure that any calls to the
`IPython.utils.terminal.set_term_title` function are done with trusted or
filtered input.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-24816
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/8b86c687/attachment.html>

Подробная информация о списке рассылки Bugs