From bbcf3d7d14dc871a651070ebc16b0d7a14761ef7 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Tue, 6 Jan 2026 08:33:26 +0100 Subject: python3-ipython: patch CVE-2023-24816 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari --- .../python/python3-ipython/CVE-2023-24816.patch | 94 ++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch (limited to 'meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch') diff --git a/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch new file mode 100644 index 0000000000..e5f65fbb68 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch @@ -0,0 +1,94 @@ +From 06db417ff15192d73ddac4bf0e2f20579d47b2e0 Mon Sep 17 00:00:00 2001 +From: Konstantin Weddige +Date: Sat, 3 Dec 2022 19:14:09 +0100 +Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code. + +Remove legacy code that might trigger a CVE. + +Currently set_term_title is only called with (semi-)trusted input that +contain the current working directory of the current IPython session. If +an attacker can control directory names, and manage to get a user cd +into this directory the attacker can execute arbitrary commands +contained in the folder names. + +Example: + + - On a windows machine where python is built without _ctypes, create + a folder called && echo "pwn" > pwn.txt. This can be done by for + example cloning a git repository. + - call toggled_set_term_title(True), (or have the preference to + true) + - Open IPython and cd into this directory. + - the folder now contain a pwn.txt, with pwn as content, despite the + user not asking for any code execution. + +Workaround: + + Set the configuration option + c.TerminalInteractiveShell.term_title_format='IPython' (or to any + other fixed, safe string). + +CVE: CVE-2023-24816 +Upstream-Status: Backport [https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f] +Signed-off-by: Gyorgy Sarvari +--- + IPython/__init__.py | 2 +- + IPython/utils/terminal.py | 32 ++++++++------------------------ + 2 files changed, 9 insertions(+), 25 deletions(-) + +diff --git a/IPython/__init__.py b/IPython/__init__.py +index e12da90..20e6e48 100644 +--- a/IPython/__init__.py ++++ b/IPython/__init__.py +@@ -62,7 +62,7 @@ __version__ = release.version + version_info = release.version_info + # list of CVEs that should have been patched in this release. + # this is informational and should not be relied upon. +-__patched_cves__ = {"CVE-2022-21699"} ++__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"} + + + def embed_kernel(module=None, local_ns=None, **kwargs): +diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py +index 49fd3fe..d884799 100644 +--- a/IPython/utils/terminal.py ++++ b/IPython/utils/terminal.py +@@ -79,30 +79,14 @@ if os.name == 'posix': + _set_term_title = _set_term_title_xterm + _restore_term_title = _restore_term_title_xterm + elif sys.platform == 'win32': +- try: +- import ctypes +- +- SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW +- SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] +- +- def _set_term_title(title): +- """Set terminal title using ctypes to access the Win32 APIs.""" +- SetConsoleTitleW(title) +- except ImportError: +- def _set_term_title(title): +- """Set terminal title using the 'title' command.""" +- global ignore_termtitle +- +- try: +- # Cannot be on network share when issuing system commands +- curr = os.getcwd() +- os.chdir("C:") +- ret = os.system("title " + title) +- finally: +- os.chdir(curr) +- if ret: +- # non-zero return code signals error, don't try again +- ignore_termtitle = True ++ import ctypes ++ ++ SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW ++ SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] ++ ++ def _set_term_title(title): ++ """Set terminal title using ctypes to access the Win32 APIs.""" ++ SetConsoleTitleW(title) + + + def set_term_title(title): -- cgit v1.2.3-54-g00ecf