ipywidget security release

Hello Jovyan,

A version of ipywidget has been released, which fixes important security issues. Please upgrade ipywidgets as soon as you can:

$ pip install ipywidgets --upgrade

Please do so in all your environments.

More details follow. We requested a CVE number and were asked to wait before any public disclosure of the vulnerability. As we have now been delaying the disclosure for over a resonable time, and we're still waiting for the CVE number, we decided to still disclose the vulnerability. This post will be updated once/if a CVE number is made available.

[Update Dec 15, 2016]

A CVE number cannot be assigned for lack of sufficient information. No explanation of what more is needed was provided.

Description

ipywidgets version 5.1.5 (widgetsnbextension 1.2.3) fixes a security vulnerability (CVE-PENDING) which affects the usage of ipywidgets in conjunction with the Jupyter Notebook.

Affected versions

ipywidgets version 5.0.0 ≤ V ≤ 5.1.4 (widgetsnbextension < 1.2.3).

Only users who installed ipywidgets using pip or from source on the GitHub repository are affected.

Anaconda users are unaffected because the vulnerable version of ipywidget has never been released to the default conda channel.

Resolution

We released ipywidgets version 5.1.5 (widgetsnbextension version 1.2.3).

You can check whether your system is affected by running the following command from a Python or IPython prompt:

>>> from distutils.version import LooseVersion as V
>>> import ipywidgets
>>> if V('5.0.0') <= V(ipywidgets.__version__) < V('5.1.5'):
        print("Upgrade ipywidgets to 5.1.5")

If your system is vulnerable, you will see the following output:

Upgrade ipywidgets to 5.1.5

If your system is vulnerable please upgrade to ipywidgets version 5.1.5. Use the following command to install:

$ pip install "ipywidgets>=5.1.5"

or

$ conda install "ipywidgets>=5.1.5"

Technical details

The vulnerability was discovered following an investigation of a potential vulnerability reported by Brian Granger to the ipython-security mailing list (security@ipython.org) on May 5.

The reason for such behavior was determined on May 5 by Matthias Bussonnier.
A fix was proposed written and reviewed, then merged into the development branch on May 20, and a non vulnerable version released on May 25.

A widget snapshotting feature introduced in ipywidgets 5.0.0 allowed untrusted javascript code to execute in an untrusted notebook on loading and saving of a notebook. A well crafted notebook could execute arbitrary code with the rights of the current user in the context of the page, the notebook server, and available kernels.

We recommend immediate upgrade of the ipywidgets package.

There is no simple configuration option that could mitigate the system for vulnerability. The user must upgrade to ipywidget version 5.1.5 or downgrade to 4.x.

Future Plan

The security issue resulted from the seemingly harmless combination of calls:

json = cell.get_json()
json = update_json(json)
cell.clear_output()
cell.from_json(json)

The clear_output() method has as a consequence to mark the cell as trusted (as it has no output that can potentially execute javascript). This is followed by the next call which can trigger JavaScript execution in the page context.

We plan on improving the notebook API so that clear_output() does not change the trusted status of a cell (or a notebook), to prevent mistakes like this from having security consequences. This will lead to the slight behavior change that an empty cell with no output can be untrusted.

Doing better next time

We learned that we are not completely ready for fast release of security fixes. The time from vulnerability discovery to available fix and release could have been better. The announcement was delayed while waiting for a CVE number which is still not there. We will consider a sorter timescale to publication even if we don't get assigned a CVE number quickly. The standard seem to be 90 days from security vulnerability report, we might end up selecting this as well.

We encourage users who find possible security issues to notify security@ipython.org.

Thanks!