Bug#755263: wheezy-pu: package ipython/0.13.1-2+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team
I would like to update ipython in wheezy to fix CVE-2014-3429
It is a remote execution flaw via cross origin websockets, but one
requires a uuid from the process in order to make use of it so it was
decided by the security team that its severe enough for a DSA.
But it should stil be fixed in stable just in case.
See this page for details of the issue:
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
diff -Nru ipython-0.13.1/debian/changelog ipython-0.13.1/debian/changelog
--- ipython-0.13.1/debian/changelog 2012-11-25 20:04:22.000000000 +0100
+++ ipython-0.13.1/debian/changelog 2014-07-16 20:29:04.000000000 +0200
@@ -1,3 +1,9 @@
+ipython (0.13.1-2+deb7u1) stable-security; urgency=medium
+
+ * Fix CVE-2014-3429: remote execution via cross origin websocket
+
+ -- Julian Taylor <jtaylor.debian@googlemail.com> Wed, 16 Jul 2014 20:27:50 +0200
+
ipython (0.13.1-2) unstable; urgency=low
* update watch file to use github directly
diff -Nru ipython-0.13.1/debian/patches/CVE-2014-3429.patch ipython-0.13.1/debian/patches/CVE-2014-3429.patch
--- ipython-0.13.1/debian/patches/CVE-2014-3429.patch 1970-01-01 01:00:00.000000000 +0100
+++ ipython-0.13.1/debian/patches/CVE-2014-3429.patch 2014-07-16 20:27:40.000000000 +0200
@@ -0,0 +1,60 @@
+Description: check origin of websocket connection CVE-2014-3429
+Origin: https://github.com/ipython/ipython/pull/4845
+
+--- a/IPython/frontend/html/notebook/handlers.py
++++ b/IPython/frontend/html/notebook/handlers.py
+@@ -16,6 +16,11 @@ Authors:
+ # Imports
+ #-----------------------------------------------------------------------------
+
++try:
++ from urllib.parse import urlparse # Py 3
++except ImportError:
++ from urlparse import urlparse # Py 2
++
+ import logging
+ import Cookie
+ import time
+@@ -368,6 +373,30 @@ class KernelActionHandler(AuthenticatedH
+
+ class ZMQStreamHandler(websocket.WebSocketHandler):
+
++ def same_origin(self):
++ """Check to see that origin and host match in the headers."""
++
++ # The difference between version 8 and 13 is that in 8 the
++ # client sends a "Sec-Websocket-Origin" header and in 13 it's
++ # simply "Origin".
++ if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
++ origin_header = self.request.headers.get("Sec-Websocket-Origin")
++ else:
++ origin_header = self.request.headers.get("Origin")
++
++ host = self.request.headers.get("Host")
++
++ # If no header is provided, assume we can't verify origin
++ if(origin_header is None or host is None):
++ return False
++
++ parsed_origin = urlparse(origin_header)
++ origin = parsed_origin.netloc
++
++ # Check to see that origin matches host directly, including ports
++ return origin == host
++
++
+ def _reserialize_reply(self, msg_list):
+ """Reserialize a reply message using JSON.
+
+@@ -409,6 +438,11 @@ class ZMQStreamHandler(websocket.WebSock
+ class AuthenticatedZMQStreamHandler(ZMQStreamHandler):
+
+ def open(self, kernel_id):
++ # Check to see that origin matches host directly, including ports
++ if not self.same_origin():
++ self.log.warn("Cross Origin WebSocket Attempt.")
++ raise web.HTTPError(404)
++
+ self.kernel_id = kernel_id.decode('ascii')
+ try:
+ cfg = self.application.ipython_app.config
diff -Nru ipython-0.13.1/debian/patches/series ipython-0.13.1/debian/patches/series
--- ipython-0.13.1/debian/patches/series 2012-11-25 20:04:22.000000000 +0100
+++ ipython-0.13.1/debian/patches/series 2014-07-16 20:26:58.000000000 +0200
@@ -5,3 +5,4 @@
use-system-mathjax-if-available.patch
parallel-2to3.patch
shared-static-path.patch
+CVE-2014-3429.patch
Reply to: