QID 981436

QID 981436: Python (pip) Security Update for binderhub (GHSA-9jjr-qqfp-ppwx)

Security update has been released for binderhub to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

A remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution
    Patch below, or [on GitHub](https://github.com/jupyterhub/binderhub/commit/195caac172690456dcdc8cc7a6ca50e05abf8182.patch)

    ```diff
    From 9f4043d9dddc1174920e687773f27b7933f48ab6 Mon Sep 17 00:00:00 2001
    From: Riccardo Castellotti <[email protected]>
    Date: Thu, 19 Aug 2021 15:49:43 +0200
    Subject: [PATCH] Explicitly separate git-ls-remote options from positional
    arguments

    ---
    binderhub/repoproviders.py | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    diff --git a/binderhub/repoproviders.py b/binderhub/repoproviders.py
    index f33347b..5d4b87c 100755
    --- a/binderhub/repoproviders.py
    +++ b/binderhub/repoproviders.py
    @@ -484,7 +484,7 @@ class GitRepoProvider(RepoProvider):
    self.sha1_validate(self.unresolved_ref)
    except ValueError:
    # The ref is a head/tag and we resolve it using `git ls-remote`
    - command = ["git", "ls-remote", self.repo, self.unresolved_ref]
    + command = ["git", "ls-remote", "--", self.repo, self.unresolved_ref]
    result = subprocess.run(command, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    if result.returncode:
    raise RuntimeError("Unable to run git ls-remote to get the `resolved_ref`: {}".format(result.stderr))
    --
    2.25.1

    ```Workaround:
    Disable the git repo provider by specifying the `BinderHub.repo_providers` config, e.g.:

    ```python
    from binderhub.repoproviders import (GitHubRepoProvider,
    GitLabRepoProvider, GistRepoProvider,
    ZenodoProvider, FigshareProvider, HydroshareProvider,
    DataverseProvider)

    c.BinderHub.repo_providers = {
    'gh': GitHubRepoProvider,
    'gist': GistRepoProvider,
    'gl': GitLabRepoProvider,
    'zenodo': ZenodoProvider,
    'figshare': FigshareProvider,
    'hydroshare': HydroshareProvider,
    'dataverse': DataverseProvider,
    }
    ```
    Vendor References

    CVEs related to QID 981436

    CVE-2021-39159 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-9jjr-qqfp-ppwx binderhub URL Logo github.com/advisories/GHSA-9jjr-qqfp-ppwx
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].