[SECURITY] [DLA 3442-1] nbconvert security update

Debian LTS Advisory DLA-3442-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
June 03, 2023 https://wiki.debian.org/LTS

Package : nbconvert
Version : 5.4-2+deb10u1
CVE ID : CVE-2021-32862

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.

When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).

• GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
• GHSL-2021-1014: XSS in notebook.metadata.title;
• GHSL-2021-1015: XSS in notebook.metadata.widgets;
• GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
• GHSL-2021-1017: XSS in output data text/html cells;
• GHSL-2021-1018: XSS in output data image/svg+xml cells;
• GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
• GHSL-2021-1020: XSS in output data text/markdown cells;
• GHSL-2021-1021: XSS in output data application/javascript cells;
• GHSL-2021-1022: XSS in output.metadata.filenames image/png and
  image/jpeg;
• GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
• GHSL-2021-1024: XSS in output.metadata.width/height image/png and
  image/jpeg;
• GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
  json cells;
• GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
  json cells;
• GHSL-2021-1027: XSS in raw cells; and
• GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution. These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option sanitize_html.

For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature