mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-27 12:01:38 +01:00
bbcf3d7d14
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
95 lines
3.5 KiB
Diff
95 lines
3.5 KiB
Diff
From 06db417ff15192d73ddac4bf0e2f20579d47b2e0 Mon Sep 17 00:00:00 2001
|
|
From: Konstantin Weddige <konstantin.weddige@lutrasecurity.com>
|
|
Date: Sat, 3 Dec 2022 19:14:09 +0100
|
|
Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code.
|
|
|
|
Remove legacy code that might trigger a CVE.
|
|
|
|
Currently set_term_title is only called with (semi-)trusted input that
|
|
contain the current working directory of the current IPython session. If
|
|
an attacker can control directory names, and manage to get a user cd
|
|
into this directory the attacker can execute arbitrary commands
|
|
contained in the folder names.
|
|
|
|
Example:
|
|
|
|
- On a windows machine where python is built without _ctypes, create
|
|
a folder called && echo "pwn" > pwn.txt. This can be done by for
|
|
example cloning a git repository.
|
|
- call toggled_set_term_title(True), (or have the preference to
|
|
true)
|
|
- Open IPython and cd into this directory.
|
|
- the folder now contain a pwn.txt, with pwn as content, despite the
|
|
user not asking for any code execution.
|
|
|
|
Workaround:
|
|
|
|
Set the configuration option
|
|
c.TerminalInteractiveShell.term_title_format='IPython' (or to any
|
|
other fixed, safe string).
|
|
|
|
CVE: CVE-2023-24816
|
|
Upstream-Status: Backport [https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f]
|
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
|
---
|
|
IPython/__init__.py | 2 +-
|
|
IPython/utils/terminal.py | 32 ++++++++------------------------
|
|
2 files changed, 9 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/IPython/__init__.py b/IPython/__init__.py
|
|
index e12da90..20e6e48 100644
|
|
--- a/IPython/__init__.py
|
|
+++ b/IPython/__init__.py
|
|
@@ -62,7 +62,7 @@ __version__ = release.version
|
|
version_info = release.version_info
|
|
# list of CVEs that should have been patched in this release.
|
|
# this is informational and should not be relied upon.
|
|
-__patched_cves__ = {"CVE-2022-21699"}
|
|
+__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"}
|
|
|
|
|
|
def embed_kernel(module=None, local_ns=None, **kwargs):
|
|
diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py
|
|
index 49fd3fe..d884799 100644
|
|
--- a/IPython/utils/terminal.py
|
|
+++ b/IPython/utils/terminal.py
|
|
@@ -79,30 +79,14 @@ if os.name == 'posix':
|
|
_set_term_title = _set_term_title_xterm
|
|
_restore_term_title = _restore_term_title_xterm
|
|
elif sys.platform == 'win32':
|
|
- try:
|
|
- import ctypes
|
|
-
|
|
- SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
|
|
- SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
|
|
-
|
|
- def _set_term_title(title):
|
|
- """Set terminal title using ctypes to access the Win32 APIs."""
|
|
- SetConsoleTitleW(title)
|
|
- except ImportError:
|
|
- def _set_term_title(title):
|
|
- """Set terminal title using the 'title' command."""
|
|
- global ignore_termtitle
|
|
-
|
|
- try:
|
|
- # Cannot be on network share when issuing system commands
|
|
- curr = os.getcwd()
|
|
- os.chdir("C:")
|
|
- ret = os.system("title " + title)
|
|
- finally:
|
|
- os.chdir(curr)
|
|
- if ret:
|
|
- # non-zero return code signals error, don't try again
|
|
- ignore_termtitle = True
|
|
+ import ctypes
|
|
+
|
|
+ SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
|
|
+ SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
|
|
+
|
|
+ def _set_term_title(title):
|
|
+ """Set terminal title using ctypes to access the Win32 APIs."""
|
|
+ SetConsoleTitleW(title)
|
|
|
|
|
|
def set_term_title(title):
|