From unknown Mon Jun 23 04:14:28 2025 X-Loop: help-debbugs@gnu.org Subject: bug#53670: ipython CVE-2022-21699 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 31 Jan 2022 20:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 53670 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 53670@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164366091310327 (code B ref -1); Mon, 31 Jan 2022 20:29:01 +0000 Received: (at submit) by debbugs.gnu.org; 31 Jan 2022 20:28:33 +0000 Received: from localhost ([127.0.0.1]:41059 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHt-0002gU-9I for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:33 -0500 Received: from lists.gnu.org ([209.51.188.17]:37026) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHr-0002gI-64 for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHq-0005CF-HS for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:30 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44047) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHn-0007ih-7w for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:29 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 038FF5C01CE; Mon, 31 Jan 2022 15:28:24 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 31 Jan 2022 15:28:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=mesmtp; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5Rc4=; b=mOJqM+cT+qGd /AobxpnGjF21Vw4jaBQNfKoe8spEPlz4O4HRqezfTQxWbwb1fWQh0YhbOfwfE47R zr3UtDsf5EUHsBWQRhK049HQzJrlgJNDv9ryZPLsppxnW7cjnIAPPYRZmnFmXZAQ vT/YRS7gfUZdb3Dzwx9lGgIWsZGezrc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5R c4=; b=Lp/AeZvIzm8tzt4E4CYu//I1BCB+8vpdj0y68I4Qh3q5Ngpbos0QzAuVW fBEEbvq8Z2DnPId3QTV95uBLCXIiy3mCvGEmZRH+OLpxMyq9jU5zodxcwOjjjmOR CFLSiW3PaXkjhaFmSn+sYvPrvTkifeCWjIjeufBxiCvLhhvJb3IKanYosG4OQcG2 womqcLBHy07T3s5rKHgaRQoG+1491Pvf+zsFJVsXjzSEcJK0cKQy1DR/WqdnHE7q fR6ISTmOQSTGo/pew/z3ZuUIYkLs6UENdrXkY09+pvCZLQ3MHzBOnnVjhMk27pZz u95Piua/Rmy52LOrVJDMiFrDqGbfQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrgedugddufeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepffdtvdekueegvdeuieelhefgfeelhffghf eihedvvdfgkedvgfevveejjeekgeejnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhg ihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 31 Jan 2022 15:28:23 -0500 (EST) Date: Mon, 31 Jan 2022 15:28:21 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Python (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699 https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x From unknown Mon Jun 23 04:14:28 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#53670: closed (Re: bug#53670: ipython CVE-2022-21699) Message-ID: References: <87mtfkn0v4.fsf@gmail.com> X-Gnu-PR-Message: they-closed 53670 X-Gnu-PR-Package: guix Reply-To: 53670@debbugs.gnu.org Date: Sat, 14 May 2022 05:24:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1652505842-803-1" This is a multi-part message in MIME format... ------------=_1652505842-803-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #53670: ipython CVE-2022-21699 which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 53670@debbugs.gnu.org. --=20 53670: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D53670 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1652505842-803-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 53670-done) by debbugs.gnu.org; 14 May 2022 05:23:53 +0000 Received: from localhost ([127.0.0.1]:45552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npkFs-0000CW-OE for submit@debbugs.gnu.org; Sat, 14 May 2022 01:23:52 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]:45877) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npkFq-0000C8-Qo for 53670-done@debbugs.gnu.org; Sat, 14 May 2022 01:23:51 -0400 Received: by mail-qt1-f173.google.com with SMTP id p4so8688481qtq.12 for <53670-done@debbugs.gnu.org>; Fri, 13 May 2022 22:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=eGKUAjrd88qop+fveVDZukae9zCdTCANqLSRlB3BTwA=; b=D1r/l1X2YsSsMUMRp1I8jHT8c/ZKB41r3dd/z0qB3m3bhw8Z8rJ39mIoWOGv+30gUN 6JvefOyPU56g5v0VTLjkDtreFSuU53i3Xfq2JtwSkL5HsrmXPqM+cXY4GVBhOUhHkZ+d 5Gnr03QEy3I8fwNmGye6FhrREizoru+MUf64ZatVYsixksCISi2lRShItOl5hSIYdXhj 3Idg7JlkMN5Ki6tEQNfPAF0LzaP5mq/zQv2dHyYyGKW4vbFtuiqA+tF6znjA7zPfwAhs 62Oxv+WhK2uhFZFjxknvJzX8mXYFw2PAElCxd4+aHzTYY8CFhHY5qde2bA2vXX8h3Nn8 Pbiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=eGKUAjrd88qop+fveVDZukae9zCdTCANqLSRlB3BTwA=; b=UGF0Zz8AzrB8jUhxIfMHZHCxtp3KkS3nwuicSUQkQUoS3vqUEZGFUDyvQLtfMA1+IM 8saOb174/jj7NM2J0jFVuQzMpAlBkF79gJdnPbv1rrOtnbSCwWzPvfowVEqQtjwks56f chF/zjKo0tFQI9poTzBDfRc1D25WYXurTbQ8hcGK83GiGNxlKKpTWJ41uVhhGFc7RDcP R692XMdcCngt/hOaWlQ6lQ2ScBX5b0yupIMjse+Zz1i//mPQUwgPPFVWwuXoTFXZxG5K DE4NKKvEjufu8KgROGIS182izYMmpjvq4dw7AybmiBFY0VE2FN82GBKzIcoaKewMOevu 4xPQ== X-Gm-Message-State: AOAM530hkwwdqG+Zba9w5Gqd/OgFuuV3sBNLg9XC1A97yLgTS0Z3Vkyl 32Ap3MHtlKO7YQfDwvTzCWIf7xaf8vkSLQ== X-Google-Smtp-Source: ABdhPJwaU7IW1fPmXDTIiKHGJdh2ors0HEUt2Wy6b8vhXMT01RTKoMSf9/8TM27Aaok3PjrwnIUp8Q== X-Received: by 2002:ac8:5ad4:0:b0:2f3:e0fb:df1c with SMTP id d20-20020ac85ad4000000b002f3e0fbdf1cmr7438773qtd.267.1652505825228; Fri, 13 May 2022 22:23:45 -0700 (PDT) Received: from hurd (dsl-149-239.b2b2c.ca. [66.158.149.239]) by smtp.gmail.com with ESMTPSA id bq10-20020a05622a1c0a00b002f39b99f6c3sm2437900qtb.93.2022.05.13.22.23.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 22:23:44 -0700 (PDT) From: Maxim Cournoyer To: Leo Famulari Subject: Re: bug#53670: ipython CVE-2022-21699 References: Date: Sat, 14 May 2022 01:23:43 -0400 In-Reply-To: (Leo Famulari's message of "Mon, 31 Jan 2022 15:28:21 -0500") Message-ID: <87mtfkn0v4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53670-done Cc: 53670-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Leo Famulari writes: > Python (Interactive Python) is a command shell for interactive computing > in multiple programming languages, originally developed for the Python > programming language. Affected versions are subject to an arbitrary code > execution vulnerability achieved by not properly managing cross user > temporary files. This vulnerability allows one user to run code as > another on the same machine. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699 > https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x Fixed with 1c8264d62e16f404786d9b526511cea29138ab9f. Thanks for the report! Maxim ------------=_1652505842-803-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 31 Jan 2022 20:28:33 +0000 Received: from localhost ([127.0.0.1]:41059 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHt-0002gU-9I for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:33 -0500 Received: from lists.gnu.org ([209.51.188.17]:37026) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nEdHr-0002gI-64 for submit@debbugs.gnu.org; Mon, 31 Jan 2022 15:28:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHq-0005CF-HS for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:30 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44047) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nEdHn-0007ih-7w for bug-guix@gnu.org; Mon, 31 Jan 2022 15:28:29 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 038FF5C01CE; Mon, 31 Jan 2022 15:28:24 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 31 Jan 2022 15:28:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=mesmtp; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5Rc4=; b=mOJqM+cT+qGd /AobxpnGjF21Vw4jaBQNfKoe8spEPlz4O4HRqezfTQxWbwb1fWQh0YhbOfwfE47R zr3UtDsf5EUHsBWQRhK049HQzJrlgJNDv9ryZPLsppxnW7cjnIAPPYRZmnFmXZAQ vT/YRS7gfUZdb3Dzwx9lGgIWsZGezrc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=VafgleZd5W7nzRPvKd1NGE3PW5rohFaA1R3VdJh5R c4=; b=Lp/AeZvIzm8tzt4E4CYu//I1BCB+8vpdj0y68I4Qh3q5Ngpbos0QzAuVW fBEEbvq8Z2DnPId3QTV95uBLCXIiy3mCvGEmZRH+OLpxMyq9jU5zodxcwOjjjmOR CFLSiW3PaXkjhaFmSn+sYvPrvTkifeCWjIjeufBxiCvLhhvJb3IKanYosG4OQcG2 womqcLBHy07T3s5rKHgaRQoG+1491Pvf+zsFJVsXjzSEcJK0cKQy1DR/WqdnHE7q fR6ISTmOQSTGo/pew/z3ZuUIYkLs6UENdrXkY09+pvCZLQ3MHzBOnnVjhMk27pZz u95Piua/Rmy52LOrVJDMiFrDqGbfQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrgedugddufeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepffdtvdekueegvdeuieelhefgfeelhffghf eihedvvdfgkedvgfevveejjeekgeejnecuffhomhgrihhnpehmihhtrhgvrdhorhhgpdhg ihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 31 Jan 2022 15:28:23 -0500 (EST) Date: Mon, 31 Jan 2022 15:28:21 -0500 From: Leo Famulari To: bug-guix@gnu.org Subject: ipython CVE-2022-21699 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Python (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21699 https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x ------------=_1652505842-803-1--