From 991849c247fc208628879e7ca2923b3c218a5a75 2023-02-07 08:03:49 From: Konstantin Weddige Date: 2023-02-07 08:03:49 Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string). --- diff --git a/IPython/__init__.py b/IPython/__init__.py index c224f9a..7d3799a 100644 --- a/IPython/__init__.py +++ b/IPython/__init__.py @@ -63,7 +63,7 @@ __version__ = release.version version_info = release.version_info # list of CVEs that should have been patched in this release. # this is informational and should not be relied upon. -__patched_cves__ = {"CVE-2022-21699"} +__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"} def embed_kernel(module=None, local_ns=None, **kwargs): diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py index 161a9ae..b09cfe0 100644 --- a/IPython/utils/terminal.py +++ b/IPython/utils/terminal.py @@ -91,30 +91,14 @@ if os.name == 'posix': _set_term_title = _set_term_title_xterm _restore_term_title = _restore_term_title_xterm elif sys.platform == 'win32': - try: - import ctypes - - SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW - SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] - - def _set_term_title(title): - """Set terminal title using ctypes to access the Win32 APIs.""" - SetConsoleTitleW(title) - except ImportError: - def _set_term_title(title): - """Set terminal title using the 'title' command.""" - global ignore_termtitle - - try: - # Cannot be on network share when issuing system commands - curr = os.getcwd() - os.chdir("C:") - ret = os.system("title " + title) - finally: - os.chdir(curr) - if ret: - # non-zero return code signals error, don't try again - ignore_termtitle = True + import ctypes + + SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW + SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] + + def _set_term_title(title): + """Set terminal title using ctypes to access the Win32 APIs.""" + SetConsoleTitleW(title) def set_term_title(title): diff --git a/docs/source/whatsnew/version8.rst b/docs/source/whatsnew/version8.rst index 2f743ea..50f1af6 100644 --- a/docs/source/whatsnew/version8.rst +++ b/docs/source/whatsnew/version8.rst @@ -2,6 +2,18 @@ 8.x Series ============ + +IPython 8.9.1 +------------- + +Out of schedule release of IPython with minor fixes to patch a potential CVE-2023-24816. +This is a really low severity CVE that you most likely are not affected by unless: + + - You are on windows. + - You have a custom build of Python without ``_ctypes`` + - You cd or start IPython or Jupyter in untrusted directory which names may be valid shell commands. + + .. _version 8.9.0: IPython 8.9.0