python3-ipython: patch CVE-2023-24816

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-14 05:49:57 +00:00 · 2026-01-06 08:33:26 +01:00
parent fa7d1a059e
commit bbcf3d7d14
2 changed files with 95 additions and 0 deletions
@@ -0,0 +1,94 @@
+From 06db417ff15192d73ddac4bf0e2f20579d47b2e0 Mon Sep 17 00:00:00 2001
+From: Konstantin Weddige <konstantin.weddige@lutrasecurity.com>
+Date: Sat, 3 Dec 2022 19:14:09 +0100
+Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code.
+
+Remove legacy code that might trigger a CVE.
+
+Currently set_term_title is only called with (semi-)trusted input that
+contain the current working directory of the current IPython session. If
+an attacker can control directory names, and manage to get a user cd
+into this directory the attacker can execute arbitrary commands
+contained in the folder names.
+
+Example:
+
+    - On a windows machine where python is built without _ctypes, create
+      a folder called && echo "pwn" > pwn.txt. This can be done by for
+      example cloning a git repository.
+    - call toggled_set_term_title(True), (or have the preference to
+      true)
+    - Open IPython and cd into this directory.
+    - the folder now contain a pwn.txt, with pwn as content, despite the
+      user not asking for any code execution.
+
+Workaround:
+
+    Set the configuration option
+    c.TerminalInteractiveShell.term_title_format='IPython' (or to any
+    other fixed, safe string).
+
+CVE: CVE-2023-24816
+Upstream-Status: Backport [https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ IPython/__init__.py       |  2 +-
+ IPython/utils/terminal.py | 32 ++++++++------------------------
+ 2 files changed, 9 insertions(+), 25 deletions(-)
+
+diff --git a/IPython/__init__.py b/IPython/__init__.py
+index e12da90..20e6e48 100644
+--- a/IPython/__init__.py
+++ b/IPython/__init__.py
+@@ -62,7 +62,7 @@ __version__  = release.version
+ version_info = release.version_info
+ # list of CVEs that should have been patched in this release.
+ # this is informational and should not be relied upon.
+-__patched_cves__ = {"CVE-2022-21699"}
+__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"}
+ 
+ 
+ def embed_kernel(module=None, local_ns=None, **kwargs):
+diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py
+index 49fd3fe..d884799 100644
+--- a/IPython/utils/terminal.py
+++ b/IPython/utils/terminal.py
+@@ -79,30 +79,14 @@ if os.name == 'posix':
+         _set_term_title = _set_term_title_xterm
+         _restore_term_title = _restore_term_title_xterm
+ elif sys.platform == 'win32':
+-    try:
+-        import ctypes
+-
+-        SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
+-        SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
+-    
+-        def _set_term_title(title):
+-            """Set terminal title using ctypes to access the Win32 APIs."""
+-            SetConsoleTitleW(title)
+-    except ImportError:
+-        def _set_term_title(title):
+-            """Set terminal title using the 'title' command."""
+-            global ignore_termtitle
+-
+-            try:
+-                # Cannot be on network share when issuing system commands
+-                curr = os.getcwd()
+-                os.chdir("C:")
+-                ret = os.system("title " + title)
+-            finally:
+-                os.chdir(curr)
+-            if ret:
+-                # non-zero return code signals error, don't try again
+-                ignore_termtitle = True
+    import ctypes
+
+    SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
+    SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
+
+    def _set_term_title(title):
+        """Set terminal title using ctypes to access the Win32 APIs."""
+        SetConsoleTitleW(title)
+ 
+ 
+ def set_term_title(title):
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING.rst;md5=59b20262b8663cdd094005bddf47af5f"

 PYPI_PACKAGE = "ipython"

+SRC_URI += "file://CVE-2023-24816.patch"
 SRC_URI[sha256sum] = "70e5eb132cac594a34b5f799bd252589009905f05104728aea6a403ec2519dc1"

 RDEPENDS:${PN} = "\