#46 Update to 3.2.3 and fix CVE-2022-21699
Merged 16 days ago by gotmax23. Opened 4 months ago by carlwgeorge.
rpms/ carlwgeorge/ipython epel7-CVE-2022-21699  into  epel7

file modified
+1
@@ -14,3 +14,4 @@ 

  /ipython-3.0.0.tar.gz

  /ipython-3.1.0.tar.gz

  /ipython-3.2.1.tar.gz

+ /ipython-3.2.3.tar.gz

@@ -0,0 +1,85 @@ 

+ From 34c73a5bb956bbe8a985fe3ac40fd36f255157b8 Mon Sep 17 00:00:00 2001

+ From: Matthias Bussonnier <bussonniermatthias@gmail.com>

+ Date: Sat, 15 Jan 2022 19:43:14 +0100

+ Subject: [PATCH] FIX CVE-2022-21699

+ 

+ See https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x

+ 

+ (cherry picked from commit c306d208946604b1cfc7bcfdc5fb51daf7b8ceae)

+ ---

+  IPython/__init__.py         | 4 ++++

+  IPython/core/application.py | 2 +-

+  IPython/core/profileapp.py  | 6 +++---

+  IPython/core/profiledir.py  | 4 ++--

+  4 files changed, 10 insertions(+), 6 deletions(-)

+ 

+ diff --git a/IPython/__init__.py b/IPython/__init__.py

+ index 69750f21b..f477c1f41 100644

+ --- a/IPython/__init__.py

+ +++ b/IPython/__init__.py

+ @@ -59,6 +59,10 @@

+  __license__  = release.license

+  __version__  = release.version

+  version_info = release.version_info

+ +# list of CVEs that should have been patched in this release.

+ +# this is informational and should not be relied upon.

+ +__patched_cves__ = {"CVE-2022-21699"}

+ +

+  

+  def embed_kernel(module=None, local_ns=None, **kwargs):

+      """Embed and start an IPython kernel in a given scope.

+ diff --git a/IPython/core/application.py b/IPython/core/application.py

+ index 9741baac7..76b62796b 100644

+ --- a/IPython/core/application.py

+ +++ b/IPython/core/application.py

+ @@ -92,7 +92,7 @@ def _config_file_name_changed(self, name, old, new):

+      

+      config_file_paths = List(Unicode)

+      def _config_file_paths_default(self):

+ -        return [py3compat.getcwd()]

+ +        return []

+  

+      extra_config_file = Unicode(config=True,

+      help="""Path to an extra config file to load.

+ diff --git a/IPython/core/profileapp.py b/IPython/core/profileapp.py

+ index b5b2fdce6..a65b092ee 100644

+ --- a/IPython/core/profileapp.py

+ +++ b/IPython/core/profileapp.py

+ @@ -184,9 +184,9 @@ def list_profile_dirs(self):

+          profiles = list_profiles_in(py3compat.getcwd())

+          if profiles:

+              print()

+ -            print("Available profiles in current directory (%s):" % py3compat.getcwd())

+ -            self._print_profiles(profiles)

+ -        

+ +            print(

+ +                "Profiles from CWD have been removed for security reason, see CVE-2022-21699:"

+ +            )

+          print()

+          print("To use any of the above profiles, start IPython with:")

+          print("    ipython --profile=<name>")

+ diff --git a/IPython/core/profiledir.py b/IPython/core/profiledir.py

+ index bff81e22e..baa42628d 100644

+ --- a/IPython/core/profiledir.py

+ +++ b/IPython/core/profiledir.py

+ @@ -211,7 +211,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):

+          is not found, a :class:`ProfileDirError` exception will be raised.

+  

+          The search path algorithm is:

+ -        1. ``py3compat.getcwd()``

+ +        1. ``os.getcwd()`` # removed for security reason.

+          2. ``ipython_dir``

+  

+          Parameters

+ @@ -223,7 +223,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):

+              will be "profile_<profile>".

+          """

+          dirname = u'profile_' + name

+ -        paths = [py3compat.getcwd(), ipython_dir]

+ +        paths = [ipython_dir]

+          for p in paths:

+              profile_dir = os.path.join(p, dirname)

+              if os.path.isdir(profile_dir):

+ -- 

+ 2.38.1

+ 

file modified
+10 -2
@@ -13,7 +13,7 @@ 

  %endif

  

  Name:           ipython

- Version:        3.2.1

+ Version:        3.2.3

  Release:        1%{?dist}

  Summary:        An enhanced interactive Python shell

  
@@ -22,9 +22,12 @@ 

  # There are some extensions released under GPLv2+

  License:        (BSD and MIT and Python) and GPLv2+

  URL:            http://ipython.org/

- Source0:        https://pypi.python.org/packages/source/i/ipython/ipython-%{version}.tar.gz

+ Source0:        %pypi_source ipython

  # Add _jsdir to default search path

  Patch0:         ipython-2.1.0-_jsdir-search-path.patch

+ # Fix CVE-2022-21699, backported from 5.x branch upstream

+ # https://github.com/ipython/ipython/commit/c306d208946604b1cfc7bcfdc5fb51daf7b8ceae

+ Patch1:         0001-FIX-CVE-2022-21699.patch

  

  BuildArch:      noarch

  BuildRequires:  python-devel
@@ -393,6 +396,7 @@ 

  %patch0 -p1 -b .jsdir

  sed -i "s;_jsdir;%{_jsdir};g" \

      IPython/html/notebookapp.py

+ %patch1 -p 1

  

  # delete bundling libs

  pushd IPython/external
@@ -722,6 +726,10 @@ 

  %endif # with_python3

  

  %changelog

+ * Sun Oct 23 2022 Carl George <carl@george.computer> - 3.2.3-1

+ - Update to 3.2.3

+ - Fix CVE-2022-21699, resolves rhbz#2135164

+ 

  * Mon Jul 13 2015 Orion Poplawski <orion@cora.nwra.com> - 3.2.1-1

  - Update to 3.2.1

  

file modified
+1 -1
@@ -1,1 +1,1 @@ 

- 61c2d5665ff1bd65eceb19fa7f1b23c7  ipython-3.2.1.tar.gz

+ SHA512 (ipython-3.2.3.tar.gz) = 0b7d8c9f9045d64adaeb52ff2ce16772daf8a0abb5a5a7775be917b062893b44efd475dfce09989243d80da7be9492c086af84dd537876c1c112b98024d41639

Ping @dcantrell, the EPEL maintainer of ipython.

Pull-Request has been merged by gotmax23

16 days ago

Merging this as a provenpackager as it fixes a security issue.