[12:55] <luis220413> I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The
[12:55] <luis220413> sil2100: Please sponsor the SRU in bug 1956166
[12:57] <sil2100> luis220413: hey! So I see there's already a xen SRU in focal-proposed, and I see mfo would like to see it released first. I'll get the arch build failures one accepted so we can get that moving
[12:58] <luis220413> sil2100: This is mfo's SRU
[12:58] <luis220413> I want this one sponsored such that my security update can advance
[12:58] <luis220413> sil2100: Thanks!
[12:58] <sil2100> Ok, in that case, I'm on it now then! ;)
[13:00] <sil2100> Changes looking good, done o/
[13:01] <luis220413> I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The upstream patch introduces a dependency on the NPM package @jupyterlab/apputils (unpackaged in Ubuntu), from which only sanitizer.ts is needed.
[13:03] <luis220413> This file depends on node-sanitize-html (available only since Jammy), that build-depends on node-postcss, that did not migrate from bionic-proposed. This package, in turn, depends on node-source-html (>= 0.6.1), that was only satisfied in Bionic by packages in the -proposed pocket that were moved to cosmic-proposed shortly after Bionic was released.
[13:03] <luis220413> *build-depends
[13:03] <luis220413> *Build-Depends
[13:03] <luis220413> How should I proceed?
[13:05] <luis220413> The version of node-source-map that satisfies this requirement (0.6.1+dfsg-1) uses a new upstream release and appears to be substantially different from the version in the release pocket (0.5.7+dfsg-1).
[13:05] <amurray> luis220413: sometimes it is not possible to patch every CVE - I would argue this is one of those cases where it is not possible to take the upstream fix due to large amount of other dependencies it needs which can't be satisfied in that release
[13:06] <amurray> luis220413: and so unfortunately it would remain unfixed
[13:06] <luis220413> amurray: But this is a critical vulnerability: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
[13:06] <amurray> luis220413: have you ever opened a notebook from some other user which you didn't trust?
[13:07] <luis220413> amurray: I do not, but many people use jupyter-notebook and may inadvertently open a malicious notebook.
[13:08] <amurray> it doesn't involve privilege escalation so personally I would not say it is critical - especially when considered in light of the priority scheme which the security team currently uses https://people.canonical.com/~ubuntu-security/priority.html - it would be rated Medium in our scale
[13:08] <amurray> in an ideal world we would patch everything - but we don't live in an ideal world
[13:09] <amurray> luis220413: so the other option you have is to backport a newer version via the https://help.ubuntu.com/community/UbuntuBackports pocket - or just within a PPA
[13:09] <amurray> then you can manage all the other required dependencies etc
[13:13] <luis220413> amurray: This is arbitrary JavaScript execution, that allows for local data theft of the entire directory on which the notebook server is run, and therefore should be rated High
[13:14] <luis220413> If you save the notebook into a directory and run the server in that directory or one of its parents
[13:14] <luis220413> *ancestors
[13:15] <amurray> luis220413: sure but it only runs as the local user right, so there is no privesc to root and hence by our criteria is a medium
[13:16] <luis220413> amurray: I will try to break the dependency on node-source-map, and I have requested a backport of the two other dependencies to the -security pocket in bug 1983018.
[13:17] <amurray> in that case I suggest this all be done in the backports pocket rather than security since there is likely too high a risk of regression to other packages which might depend on these packages etc
[13:18] <luis220413> amurray: The packages to be backported in this bug do not exist in the target releases.
[13:18] <luis220413> So there is no risk of regressing dependencies.
[13:18] <luis220413> Because they do not exist
[13:19] <amurray> oh in that case then it may be possible - apologies I hadn't realised that
[13:19] <amurray> sorry I'll have to resume this conversation latter - gotta run - thanks for your interest and help with ubuntu security