Bug 1194936 - (CVE-2022-21699) VUL-0: CVE-2022-21699: python-ipython: local arbitrary code execution via temporary files
(CVE-2022-21699)
VUL-0: CVE-2022-21699: python-ipython: local arbitrary code execution via tem...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/321200/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-20 10:00 UTC by Carlos López
Modified: 2022-07-08 01:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-01-20 10:00:08 UTC
CVE-2022-21699

IPython (Interactive Python) is a command shell for interactive computing in
multiple programming languages, originally developed for the Python programming
language. Affected versions are subject to an arbitrary code execution
vulnerability achieved by not properly managing cross user temporary files. This
vulnerability allows one user to run code as another on the same machine. All
users are advised to upgrade.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21699
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
https://github.com/ipython/ipython/commit/46a51ed69cdf41b4333943d9ceeb945c4ede5668
https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699
Comment 1 Carlos López 2022-01-20 10:01:54 UTC
Affected:
 - openSUSE:Backports:SLE-15-SP3/python-ipython
 - openSUSE:Backports:SLE-15-SP4/python-ipython
 - openSUSE:Factory/python-ipython
Comment 2 Benjamin Greiner 2022-01-20 10:40:34 UTC
Fixing by version 8.0.1 for Factory: https://build.opensuse.org/request/show/947657

The SLE/Leap package for Python 3.6 needs to be taken care of by the SUSE maintainer
Comment 3 OBSbugzilla Bot 2022-01-20 12:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1194936) was mentioned in
https://build.opensuse.org/request/show/947675 Factory / python-ipython
Comment 4 OBSbugzilla Bot 2022-03-05 09:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1194936) was mentioned in
https://build.opensuse.org/request/show/959582 Backports:SLE-15-SP4 / python-ipython
Comment 5 OBSbugzilla Bot 2022-06-08 00:40:02 UTC
This is an autogenerated message for OBS integration:
This bug (1194936) was mentioned in
https://build.opensuse.org/request/show/981219 Backports:SLE-15-SP3 / python-ipython
Comment 6 Swamp Workflow Management 2022-07-08 01:15:40 UTC
openSUSE-SU-2022:10043-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1194936
CVE References: CVE-2022-21699
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-ipython-7.13.0-bp153.2.6.1, python-ipython-test-7.13.0-bp153.2.6.6