IPython: User-assisted execution of arbitrary code — GLSA 201512-02

A vulnerability in IPython could result in execution of arbitrary JavaScript.

Affected Packages

dev-python/ipython on all architectures
Affected versions < 3.2.1-r1
Unaffected versions >= 3.2.1-r1

Background

IPython is an advanced interactive shell for Python.

Description

IPython does not properly check the MIME type of a file.

Impact

A remote attacker could entice a user to open a specially crafted text file using IPython, possibly resulting in execution of arbitrary JavaScript with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All IPython users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/ipython-3.2.1-r1"
 

References

Release Date
December 17, 2015

Latest Revision
December 17, 2015: 1

Severity
normal

Exploitable
remote

Bugzilla entries