=== luis220413_ is now known as luis220413
[12:55] <luis220413> I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The
[12:55] <ubottu> The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>
[12:55] <luis220413> sil2100: Please sponsor the SRU in bug 1956166
[12:55] <ubottu> Bug 1956166 in xen (Ubuntu Focal) "Ubuntu 22.04 doesn't boot with xen" [Medium, Fix Committed] https://launchpad.net/bugs/1956166
[12:57] <sil2100> luis220413: hey! So I see there's already a xen SRU in focal-proposed, and I see mfo would like to see it released first. I'll get the arch build failures one accepted so we can get that moving
[12:58] <luis220413> sil2100: This is mfo's SRU
[12:58] <luis220413> I want this one sponsored such that my security update can advance
[12:58] <luis220413> sil2100: Thanks!
[12:58] <sil2100> Ok, in that case, I'm on it now then! ;)
[13:00] <sil2100> Changes looking good, done o/
[13:01] <luis220413> I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The upstream patch introduces a dependency on the NPM package @jupyterlab/apputils (unpackaged in Ubuntu), from which only sanitizer.ts is needed.
[13:01] <ubottu> The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>
[13:03] <luis220413> This file depends on node-sanitize-html (available only since Jammy), that build-depends on node-postcss, that did not migrate from bionic-proposed. This package, in turn, depends on node-source-html (>= 0.6.1), that was only satisfied in Bionic by packages in the -proposed pocket that were moved to cosmic-proposed shortly after Bionic was released.
[13:03] <luis220413> *build-depends
[13:03] <luis220413> *Build-Depends
[13:03] <luis220413> How should I proceed?
[13:05] <luis220413> The version of node-source-map that satisfies this requirement (0.6.1+dfsg-1) uses a new upstream release and appears to be substantially different from the version in the release pocket (0.5.7+dfsg-1).
[13:05] <amurray> luis220413: sometimes it is not possible to patch every CVE - I would argue this is one of those cases where it is not possible to take the upstream fix due to large amount of other dependencies it needs which can't be satisfied in that release
[13:06] <amurray> luis220413: and so unfortunately it would remain unfixed
[13:06] <luis220413> amurray: But this is a critical vulnerability: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
[13:06] <amurray> luis220413: have you ever opened a notebook from some other user which you didn't trust?
[13:07] <luis220413> amurray: I do not, but many people use jupyter-notebook and may inadvertently open a malicious notebook.
[13:08] <amurray> it doesn't involve privilege escalation so personally I would not say it is critical - especially when considered in light of the priority scheme which the security team currently uses https://people.canonical.com/~ubuntu-security/priority.html - it would be rated Medium in our scale
[13:08] <amurray> in an ideal world we would patch everything - but we don't live in an ideal world
[13:09] <amurray> luis220413: so the other option you have is to backport a newer version via the https://help.ubuntu.com/community/UbuntuBackports pocket - or just within a PPA
[13:09] <amurray> then you can manage all the other required dependencies etc
[13:13] <luis220413> amurray: This is arbitrary JavaScript execution, that allows for local data theft of the entire directory on which the notebook server is run, and therefore should be rated High
[13:14] <luis220413> If you save the notebook into a directory and run the server in that directory or one of its parents
[13:14] <luis220413> *ancestors
[13:15] <amurray> luis220413: sure but it only runs as the local user right, so there is no privesc to root and hence by our criteria is a medium
[13:16] <luis220413> amurray: I will try to break the dependency on node-source-map, and I have requested a backport of the two other dependencies to the -security pocket in bug 1983018.
[13:16] <ubottu> Bug 1983018 in node-sanitize-html (Ubuntu) "Backport to Ubuntu 18.04 (and in some cases 20.04)" [Undecided, New] https://launchpad.net/bugs/1983018
[13:17] <amurray> in that case I suggest this all be done in the backports pocket rather than security since there is likely too high a risk of regression to other packages which might depend on these packages etc
[13:18] <luis220413> amurray: The packages to be backported in this bug do not exist in the target releases.
[13:18] <luis220413> So there is no risk of regressing dependencies.
[13:18] <luis220413> Because they do not exist
[13:19] <amurray> oh in that case then it may be possible - apologies I hadn't realised that
[13:19] <amurray> sorry I'll have to resume this conversation latter - gotta run - thanks for your interest and help with ubuntu security