IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_titlefunction under specific conditions. This has been patched in version 8.10.0.
Impact
Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, set_term_title could introduce a vulnerability for dependencies. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user to cd into this directory, then the attacker can execute arbitrary commands contained in the folder names.
This PR contains the following updates:
==7.34.0
->==8.10.0
GitHub Vulnerability Alerts
CVE-2023-24816
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the
set_term_title
function under specific conditions. This has been patched in version 8.10.0.Impact
Users are only vulnerable when calling this function in Windows in a Python environment where ctypes is not available. The dependency on ctypes in
IPython.utils._process_win32
prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool,set_term_title
could introduce a vulnerability for dependencies. Currentlyset_term_title
is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user tocd
into this directory, then the attacker can execute arbitrary commands contained in the folder names.Release Notes
ipython/ipython (ipython)
### [`v8.10.0`](https://togithub.com/ipython/ipython/compare/8.9.0...8.10.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.9.0...8.10.0) ### [`v8.9.0`](https://togithub.com/ipython/ipython/compare/8.8.0...8.9.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.8.0...8.9.0) ### [`v8.8.0`](https://togithub.com/ipython/ipython/compare/8.7.0...8.8.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.7.0...8.8.0) ### [`v8.7.0`](https://togithub.com/ipython/ipython/compare/8.6.0...8.7.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.6.0...8.7.0) ### [`v8.6.0`](https://togithub.com/ipython/ipython/compare/8.5.0...8.6.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.5.0...8.6.0) ### [`v8.5.0`](https://togithub.com/ipython/ipython/compare/8.4.0...8.5.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.4.0...8.5.0) ### [`v8.4.0`](https://togithub.com/ipython/ipython/compare/8.3.0...8.4.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.3.0...8.4.0) ### [`v8.3.0`](https://togithub.com/ipython/ipython/compare/8.2.0...8.3.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.2.0...8.3.0) ### [`v8.2.0`](https://togithub.com/ipython/ipython/compare/8.1.1...8.2.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.1.1...8.2.0) ### [`v8.1.1`](https://togithub.com/ipython/ipython/compare/8.1.0...8.1.1) [Compare Source](https://togithub.com/ipython/ipython/compare/8.1.0...8.1.1) ### [`v8.1.0`](https://togithub.com/ipython/ipython/compare/8.0.1...8.1.0) [Compare Source](https://togithub.com/ipython/ipython/compare/8.0.1...8.1.0) ### [`v8.0.1`](https://togithub.com/ipython/ipython/compare/8.0.0...8.0.1) [Compare Source](https://togithub.com/ipython/ipython/compare/8.0.0...8.0.1) ### [`v8.0.0`](https://togithub.com/ipython/ipython/compare/7.34.0...8.0.0) [Compare Source](https://togithub.com/ipython/ipython/compare/7.34.0...8.0.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.