From 991849c247fc208628879e7ca2923b3c218a5a75 Mon Sep 17 00:00:00 2001 From: Konstantin Weddige Date: Sat, 3 Dec 2022 19:14:09 +0100 Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string). --- IPython/__init__.py | 2 +- IPython/utils/terminal.py | 32 ++++++++----------------------- docs/source/whatsnew/version8.rst | 12 ++++++++++++ 3 files changed, 21 insertions(+), 25 deletions(-) diff --git a/IPython/__init__.py b/IPython/__init__.py index c224f9a8c90..7d3799ab363 100644 --- a/IPython/__init__.py +++ b/IPython/__init__.py @@ -63,7 +63,7 @@ version_info = release.version_info # list of CVEs that should have been patched in this release. # this is informational and should not be relied upon. -__patched_cves__ = {"CVE-2022-21699"} +__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"} def embed_kernel(module=None, local_ns=None, **kwargs): diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py index 161a9ae6042..b09cfe0d22d 100644 --- a/IPython/utils/terminal.py +++ b/IPython/utils/terminal.py @@ -91,30 +91,14 @@ def _restore_term_title_xterm(): _set_term_title = _set_term_title_xterm _restore_term_title = _restore_term_title_xterm elif sys.platform == 'win32': - try: - import ctypes - - SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW - SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] - - def _set_term_title(title): - """Set terminal title using ctypes to access the Win32 APIs.""" - SetConsoleTitleW(title) - except ImportError: - def _set_term_title(title): - """Set terminal title using the 'title' command.""" - global ignore_termtitle - - try: - # Cannot be on network share when issuing system commands - curr = os.getcwd() - os.chdir("C:") - ret = os.system("title " + title) - finally: - os.chdir(curr) - if ret: - # non-zero return code signals error, don't try again - ignore_termtitle = True + import ctypes + + SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW + SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] + + def _set_term_title(title): + """Set terminal title using ctypes to access the Win32 APIs.""" + SetConsoleTitleW(title) def set_term_title(title): diff --git a/docs/source/whatsnew/version8.rst b/docs/source/whatsnew/version8.rst index 2f743ea8fff..50f1af61beb 100644 --- a/docs/source/whatsnew/version8.rst +++ b/docs/source/whatsnew/version8.rst @@ -2,6 +2,18 @@ 8.x Series ============ + +IPython 8.9.1 +------------- + +Out of schedule release of IPython with minor fixes to patch a potential CVE-2023-24816. +This is a really low severity CVE that you most likely are not affected by unless: + + - You are on windows. + - You have a custom build of Python without ``_ctypes`` + - You cd or start IPython or Jupyter in untrusted directory which names may be valid shell commands. + + .. _version 8.9.0: IPython 8.9.0