Bug 947508 (CVE-2015-7337) - VUL-1: CVE-2015-7337: ipython: Maliciously crafted files can be executed due to wrong file type determination
Summary: VUL-1: CVE-2015-7337: ipython: Maliciously crafted files can be executed due ...
Status: RESOLVED FIXED
Alias: CVE-2015-7337
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P4 - Low : Minor
Target Milestone: ---
Assignee: Jan Matejek
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/156960/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-25 11:33 UTC by Victor Pereira
Modified: 2017-08-10 14:22 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-25 11:33:20 UTC 
rh#1264067

A vulnerability in IPython allowing maliciously forged file to be opened for editing that could execute javascript code, specifically by being redirected to /files/ due to the mistakenly treating the file as plain text. Versions >= 3.0 and <= 3.2.1 of IPython are affected.

Upstream patch:

https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967





References:
https://bugzilla.redhat.com/show_bug.cgi?id=1264067
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7337
http://seclists.org/oss-sec/2015/q3/634
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7337.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7337
Comment 1 Victor Pereira 2015-09-25 11:33:53 UTC 
looks like just Factory and Leap are affected.
Comment 2 Swamp Workflow Management 2015-09-25 22:00:39 UTC 
bugbot adjusting priority
Comment 3 Johannes Segitz 2017-08-10 14:22:31 UTC 
fixed