Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi release team I would like to update ipython in wheezy to fix CVE-2014-3429 It is a remote execution flaw via cross origin websockets, but one requires a uuid from the process in order to make use of it so it was decided by the security team that its severe enough for a DSA. But it should stil be fixed in stable just in case. See this page for details of the issue: http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
diff -Nru ipython-0.13.1/debian/changelog ipython-0.13.1/debian/changelog --- ipython-0.13.1/debian/changelog 2012-11-25 20:04:22.000000000 +0100 +++ ipython-0.13.1/debian/changelog 2014-07-16 20:29:04.000000000 +0200 @@ -1,3 +1,9 @@ +ipython (0.13.1-2+deb7u1) stable-security; urgency=medium + + * Fix CVE-2014-3429: remote execution via cross origin websocket + + -- Julian Taylor <[email protected]> Wed, 16 Jul 2014 20:27:50 +0200 + ipython (0.13.1-2) unstable; urgency=low * update watch file to use github directly diff -Nru ipython-0.13.1/debian/patches/CVE-2014-3429.patch ipython-0.13.1/debian/patches/CVE-2014-3429.patch --- ipython-0.13.1/debian/patches/CVE-2014-3429.patch 1970-01-01 01:00:00.000000000 +0100 +++ ipython-0.13.1/debian/patches/CVE-2014-3429.patch 2014-07-16 20:27:40.000000000 +0200 @@ -0,0 +1,60 @@ +Description: check origin of websocket connection CVE-2014-3429 +Origin: https://github.com/ipython/ipython/pull/4845 + +--- a/IPython/frontend/html/notebook/handlers.py ++++ b/IPython/frontend/html/notebook/handlers.py +@@ -16,6 +16,11 @@ Authors: + # Imports + #----------------------------------------------------------------------------- + ++try: ++ from urllib.parse import urlparse # Py 3 ++except ImportError: ++ from urlparse import urlparse # Py 2 ++ + import logging + import Cookie + import time +@@ -368,6 +373,30 @@ class KernelActionHandler(AuthenticatedH + + class ZMQStreamHandler(websocket.WebSocketHandler): + ++ def same_origin(self): ++ """Check to see that origin and host match in the headers.""" ++ ++ # The difference between version 8 and 13 is that in 8 the ++ # client sends a "Sec-Websocket-Origin" header and in 13 it's ++ # simply "Origin". ++ if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"): ++ origin_header = self.request.headers.get("Sec-Websocket-Origin") ++ else: ++ origin_header = self.request.headers.get("Origin") ++ ++ host = self.request.headers.get("Host") ++ ++ # If no header is provided, assume we can't verify origin ++ if(origin_header is None or host is None): ++ return False ++ ++ parsed_origin = urlparse(origin_header) ++ origin = parsed_origin.netloc ++ ++ # Check to see that origin matches host directly, including ports ++ return origin == host ++ ++ + def _reserialize_reply(self, msg_list): + """Reserialize a reply message using JSON. + +@@ -409,6 +438,11 @@ class ZMQStreamHandler(websocket.WebSock + class AuthenticatedZMQStreamHandler(ZMQStreamHandler): + + def open(self, kernel_id): ++ # Check to see that origin matches host directly, including ports ++ if not self.same_origin(): ++ self.log.warn("Cross Origin WebSocket Attempt.") ++ raise web.HTTPError(404) ++ + self.kernel_id = kernel_id.decode('ascii') + try: + cfg = self.application.ipython_app.config diff -Nru ipython-0.13.1/debian/patches/series ipython-0.13.1/debian/patches/series --- ipython-0.13.1/debian/patches/series 2012-11-25 20:04:22.000000000 +0100 +++ ipython-0.13.1/debian/patches/series 2014-07-16 20:26:58.000000000 +0200 @@ -5,3 +5,4 @@ use-system-mathjax-if-available.patch parallel-2to3.patch shared-static-path.patch +CVE-2014-3429.patch
