From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 31 15:28:33 2022 Received: (at submit) by debbugs.gnu.org; 31 Jan 2022 20:28:33 +0000 Received: from localhost ([127.0.0.1]:41059 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHt-0002gU-9I for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:33 -0500 Received: from lists.gnu.org ([209.51.188.17]:37026) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHr-0002gI-64 for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHq-0005CF-HS for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:30 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44047) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHn-0007ih-7w for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:29 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 038FF5C01CE; Mon, 31 Jan 2022 15:28:24 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 31 Jan 2022 15:28:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=mesmtp; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5Rc4=; b=mOJqM+cT+qGd /AobxpnGjF21Vw4jaBQNfKoe8spEPlz4O4HRqezfTQxWbwb1fWQh0YhbOfwfE47R zr3UtDsf5EUHsBWQRhK049HQzJrlgJNDv9ryZPLsppxnW7cjnIAPPYRZmnFmXZAQ vT/YRS7gfUZdb3Dzwx9lGgIWsZGezrc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5R c4=; b=Lp/AeZvIzm8tzt4E4CYu//I1BCB+8vpdj0y68I4Qh3q5Ngpbos0QzAuVW fBEEbvq8Z2DnPId3QTV95uBLCXIiy3mCvGEmZRH+OLpxMyq9jU5zodxcwOjjjmOR CFLSiW3PaXkjhaFmSn+sYvPrvTkifeCWjIjeufBxiCvLhhvJb3IKanYosG4OQcG2 womqcLBHy07T3s5rKHgaRQoG+1491Pvf+zsFJVsXjzSEcJK0cKQy1DR/WqdnHE7q fR6ISTmOQSTGo/pew/z3ZuUIYkLs6UENdrXkY09+pvCZLQ3MHzBOnnVjhMk27pZz u95Piua/Rmy52LOrVJDMiFrDqGbfQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrgedugddufeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepffdtvdekueegvdeuieelhefgfeelhffghf eihedvvdfgkedvgfevveejjeekgeejnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhg ihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 31 Jan 2022 15:28:23 -0500 (EST) Date: Mon, 31 Jan 2022 15:28:21 -0500 From: Leo Famulari To: bug-guix@gnu.org Subject: ipython CVE-2022-21699 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Python (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699 https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x From debbugs-submit-bounces@debbugs.gnu.org Sat May 14 01:23:53 2022 Received: (at 53670-done) by debbugs.gnu.org; 14 May 2022 05:23:53 +0000 Received: from localhost ([127.0.0.1]:45552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npkFs-0000CW-OE for submit@debbugs.gnu.org; Sat, 14 May 2022 01:23:52 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:45877) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npkFq-0000C8-Qo for 53670-done@debbugs.gnu.org; Sat, 14 May 2022 01:23:51 -0400 Received: by mail-qt1-f173.google.com with SMTP id p4so8688481qtq.12 for <53670-done@debbugs.gnu.org>; Fri, 13 May 2022 22:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=eGKUAjrd88qop+fveVDZukae9zCdTCANqLSRlB3BTwA=; b=D1r/l1X2YsSsMUMRp1I8jHT8c/ZKB41r3dd/z0qB3m3bhw8Z8rJ39mIoWOGv+30gUN 6JvefOyPU56g5v0VTLjkDtreFSuU53i3Xfq2JtwSkL5HsrmXPqM+cXY4GVBhOUhHkZ+d 5Gnr03QEy3I8fwNmGye6FhrREizoru+MUf64ZatVYsixksCISi2lRShItOl5hSIYdXhj 3Idg7JlkMN5Ki6tEQNfPAF0LzaP5mq/zQv2dHyYyGKW4vbFtuiqA+tF6znjA7zPfwAhs 62Oxv+WhK2uhFZFjxknvJzX8mXYFw2PAElCxd4+aHzTYY8CFhHY5qde2bA2vXX8h3Nn8 Pbiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=eGKUAjrd88qop+fveVDZukae9zCdTCANqLSRlB3BTwA=; b=UGF0Zz8AzrB8jUhxIfMHZHCxtp3KkS3nwuicSUQkQUoS3vqUEZGFUDyvQLtfMA1+IM 8saOb174/jj7NM2J0jFVuQzMpAlBkF79gJdnPbv1rrOtnbSCwWzPvfowVEqQtjwks56f chF/zjKo0tFQI9poTzBDfRc1D25WYXurTbQ8hcGK83GiGNxlKKpTWJ41uVhhGFc7RDcP R692XMdcCngt/hOaWlQ6lQ2ScBX5b0yupIMjse+Zz1i//mPQUwgPPFVWwuXoTFXZxG5K DE4NKKvEjufu8KgROGIS182izYMmpjvq4dw7AybmiBFY0VE2FN82GBKzIcoaKewMOevu 4xPQ== X-Gm-Message-State: AOAM530hkwwdqG+Zba9w5Gqd/OgFuuV3sBNLg9XC1A97yLgTS0Z3Vkyl 32Ap3MHtlKO7YQfDwvTzCWIf7xaf8vkSLQ== X-Google-Smtp-Source: ABdhPJwaU7IW1fPmXDTIiKHGJdh2ors0HEUt2Wy6b8vhXMT01RTKoMSf9/8TM27Aaok3PjrwnIUp8Q== X-Received: by 2002:ac8:5ad4:0:b0:2f3:e0fb:df1c with SMTP id d20-20020ac85ad4000000b002f3e0fbdf1cmr7438773qtd.267.1652505825228; Fri, 13 May 2022 22:23:45 -0700 (PDT) Received: from hurd (dsl-149-239.b2b2c.ca. [66.158.149.239]) by smtp.gmail.com with ESMTPSA id bq10-20020a05622a1c0a00b002f39b99f6c3sm2437900qtb.93.2022.05.13.22.23.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 22:23:44 -0700 (PDT) From: Maxim Cournoyer To: Leo Famulari Subject: Re: bug#53670: ipython CVE-2022-21699 References: Date: Sat, 14 May 2022 01:23:43 -0400 In-Reply-To: (Leo Famulari's message of "Mon, 31 Jan 2022 15:28:21 -0500") Message-ID: <87mtfkn0v4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53670-done Cc: 53670-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Leo Famulari writes: > Python (Interactive Python) is a command shell for interactive computing > in multiple programming languages, originally developed for the Python > programming language. Affected versions are subject to an arbitrary code > execution vulnerability achieved by not properly managing cross user > temporary files. This vulnerability allows one user to run code as > another on the same machine. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699 > https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x Fixed with 1c8264d62e16f404786d9b526511cea29138ab9f. Thanks for the report! Maxim From unknown Mon Jun 23 04:13:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 11 Jun 2022 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator