File CVE-2022-21699-unnecessary-privs.patch of Package python-ipython.17515

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-21699-unnecessary-privs.patch of Package python-ipython.17515

From 1ec91ebf328bdf3450130de4b4604c79dc1e19d9 Mon Sep 17 00:00:00 2001
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
Date: Sat, 15 Jan 2022 19:43:14 +0100
Subject: [PATCH 1/3] FIX CVE-2022-21699

See https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
---
 IPython/__init__.py         |    4 +++
 IPython/core/application.py |    2 -
 IPython/core/profileapp.py  |    7 +++--
 IPython/core/profiledir.py  |    4 +--
 IPython/tests/cve.py        |   56 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 67 insertions(+), 6 deletions(-)

--- a/IPython/__init__.py
+++ b/IPython/__init__.py
@@ -65,6 +65,10 @@ __author__ = '%s <%s>' % (release.author
 __license__  = release.license
 __version__  = release.version
 version_info = release.version_info
+# list of CVEs that should have been patched in this release.
+# this is informational and should not be relied upon.
+__patched_cves__ = {"CVE-2022-21699"}
+
 
 def embed_kernel(module=None, local_ns=None, **kwargs):
     """Embed and start an IPython kernel in a given scope.
--- a/IPython/core/application.py
+++ b/IPython/core/application.py
@@ -133,7 +133,7 @@ class BaseIPythonApplication(Application
     config_file_paths = List(Unicode())
     @default('config_file_paths')
     def _config_file_paths_default(self):
-        return [os.getcwd()]
+        return []
 
     extra_config_file = Unicode(
     help="""Path to an extra config file to load.
--- a/IPython/core/profileapp.py
+++ b/IPython/core/profileapp.py
@@ -181,9 +181,10 @@ class ProfileList(Application):
         profiles = list_profiles_in(os.getcwd())
         if profiles:
             print()
-            print("Available profiles in current directory (%s):" % os.getcwd())
-            self._print_profiles(profiles)
-        
+            print(
+                "Profiles from CWD have been removed for security reason, see CVE-2022-21699:"
+            )
+
         print()
         print("To use any of the above profiles, start IPython with:")
         print("    ipython --profile=<name>")
--- a/IPython/core/profiledir.py
+++ b/IPython/core/profiledir.py
@@ -186,7 +186,7 @@ class ProfileDir(LoggingConfigurable):
         is not found, a :class:`ProfileDirError` exception will be raised.
 
         The search path algorithm is:
-        1. ``os.getcwd()``
+        1. ``os.getcwd()`` # removed for security reason.
         2. ``ipython_dir``
 
         Parameters
@@ -198,7 +198,7 @@ class ProfileDir(LoggingConfigurable):
             will be "profile_<profile>".
         """
         dirname = u'profile_' + name
-        paths = [os.getcwd(), ipython_dir]
+        paths = [ipython_dir]
         for p in paths:
             profile_dir = os.path.join(p, dirname)
             if os.path.isdir(profile_dir):
--- /dev/null
+++ b/IPython/tests/cve.py
@@ -0,0 +1,56 @@
+"""
+Test that CVEs stay fixed.
+"""
+
+from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory
+from pathlib import Path
+import random
+import sys
+import os
+import string
+import subprocess
+import time
+
+def test_cve_2022_21699():
+    """
+    Here we test CVE-2022-21699.
+
+    We create a temporary directory, cd into it.
+    Make a profile file that should not be executed and start IPython in a subprocess,
+    checking for the value.
+
+
+
+    """
+
+    dangerous_profile_dir = Path('profile_default')
+
+    dangerous_startup_dir = dangerous_profile_dir / 'startup'
+    dangerous_expected = 'CVE-2022-21699-'+''.join([random.choice(string.ascii_letters) for i in range(10)])
+
+    with TemporaryWorkingDirectory() as t:
+        dangerous_startup_dir.mkdir(parents=True)
+        (dangerous_startup_dir/ 'foo.py').write_text(f'print("{dangerous_expected}")')
+        # 1 sec to make sure FS is flushed.
+        #time.sleep(1)
+        cmd = [sys.executable,'-m', 'IPython']
+        env = os.environ.copy()
+        env['IPY_TEST_SIMPLE_PROMPT'] = '1'
+
+
+        # First we fake old behavior, making sure the profile is/was actually dangerous
+        p_dangerous = subprocess.Popen(cmd + [f'--profile-dir={dangerous_profile_dir}'], env=env, stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r")
+        assert dangerous_expected in out_dangerous.decode()
+
+        # Now that we know it _would_ have been dangerous, we test it's not loaded
+        p = subprocess.Popen(cmd, env=env, stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        out, err = p.communicate(b"exit\r")
+        assert b'IPython' in out
+        assert dangerous_expected not in out.decode()
+        assert err == b''
+
+
+

Places

File CVE-2022-21699-unnecessary-privs.patch of Package python-ipython.17515

Places