Headline
CVE-2022-39286: Merge pull request from GHSA-m678-f26j-3hrp · jupyter/jupyter_core@1118c8c
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
@@ -69,43 +69,51 @@ def test_generate_config():
def test_load_config(): config_dir = mkdtemp() wd = mkdtemp() os.environ[“JUPYTER_CONFIG_PATH”] = str(config_dir) with open(pjoin(config_dir, “dummy_app_config.py”), “w", encoding="utf-8”) as f: f.write(“c.DummyApp.m = 1\n”) f.write(“c.DummyApp.n = 1”) with patch.object(os, "getcwd", lambda: wd): app = DummyApp(config_dir=config_dir) app.initialize([])
app = DummyApp(config_dir=config_dir) app.initialize([])
assert app.n == 1, “Loaded config from config dir” assert app.m == 1, “Loaded config from config dir”
shutil.rmtree(config_dir) del os.environ[“JUPYTER_CONFIG_PATH”]
with open(pjoin(wd, “dummy_app_config.py”), “w", encoding="utf-8”) as f: f.write(“c.DummyApp.n = 2”)
def test_load_config_no_cwd(): config_dir = mkdtemp() wd = mkdtemp() with open(pjoin(wd, “dummy_app_config.py”), “w", encoding="utf-8”) as f: f.write(“c.DummyApp.m = 1\n”) f.write(“c.DummyApp.n = 1”) with patch.object(os, "getcwd", lambda: wd): app = DummyApp(config_dir=config_dir) app.initialize([])
assert app.m == 1, “Loaded config from config dir” assert app.n == 2, “Loaded config from CWD” assert app.n == 0 assert app.m == 0
shutil.rmtree(config_dir) shutil.rmtree(wd)
def test_load_bad_config(): config_dir = mkdtemp() wd = mkdtemp() os.environ[“JUPYTER_CONFIG_PATH”] = str(config_dir) with open(pjoin(config_dir, “dummy_app_config.py”), “w", encoding="utf-8”) as f: f.write(‘c.DummyApp.m = "a\n’) # Syntax error with patch.object(os, "getcwd", lambda: wd): with pytest.raises(SyntaxError): app = DummyApp(config_dir=config_dir) app.raise_config_file_errors = True app.initialize([])
with pytest.raises(SyntaxError): app = DummyApp(config_dir=config_dir) app.raise_config_file_errors = True app.initialize([])
shutil.rmtree(config_dir) shutil.rmtree(wd) del os.environ[“JUPYTER_CONFIG_PATH”]
def test_runtime_dir_changed():
Related news
Ubuntu Security Notice 6153-1 - It was discovered that Jupyter Core executed untrusted files in the current working directory. An attacker could possibly use this issue to execute arbitrary code.
Debian Linux Security Advisory 5422-1 - It was discovered that jupyter-core, the core common functionality for Jupyter projects, could execute arbitrary code in the current working directory while loading configuration files.
Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.
### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to `jupyter_core>=4.11.2`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No ### References _Are there any links users can visit to find out more?_ Similar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)