[SECURITY] [DLA 3442-1] nbconvert security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3442-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
June 03, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : nbconvert
Version : 5.4-2+deb10u1
CVE ID : CVE-2021-32862
Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.
When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).
* GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
* GHSL-2021-1014: XSS in notebook.metadata.title;
* GHSL-2021-1015: XSS in notebook.metadata.widgets;
* GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
* GHSL-2021-1017: XSS in output data text/html cells;
* GHSL-2021-1018: XSS in output data image/svg+xml cells;
* GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
* GHSL-2021-1020: XSS in output data text/markdown cells;
* GHSL-2021-1021: XSS in output data application/javascript cells;
* GHSL-2021-1022: XSS in output.metadata.filenames image/png and
image/jpeg;
* GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
* GHSL-2021-1024: XSS in output.metadata.width/height image/png and
image/jpeg;
* GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
json cells;
* GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
json cells;
* GHSL-2021-1027: XSS in raw cells; and
* GHSL-2021-1028: XSS in markdown cells.
Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution. These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option `sanitize_html`.
For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.
We recommend that you upgrade your nbconvert packages.
For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
A nbconvert security update has been released for Debian GNU/Linux 10 LTS to address a cross-site scripting vulnerability.