Version in base suite: 4.7.1-1

Base version: jupyter-core_4.7.1-1
Target version: jupyter-core_4.7.1-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jupyter-core/jupyter-core_4.7.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jupyter-core/jupyter-core_4.7.1-1+deb11u1.dsc

 changelog                    |    8 +++
 patches/CVE-2022-39286.patch |   94 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 103 insertions(+)

diff -Nru jupyter-core-4.7.1/debian/changelog jupyter-core-4.7.1/debian/changelog
--- jupyter-core-4.7.1/debian/changelog	2021-02-01 18:39:54.000000000 +0000
+++ jupyter-core-4.7.1/debian/changelog	2023-06-09 02:08:24.000000000 +0000
@@ -1,3 +1,11 @@
+jupyter-core (4.7.1-1+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2022-39286: Arbitrarycode execution while loading configuration
+    files. (Closes: #1023361)
+
+ -- Aron Xu <aron@debian.org>  Fri, 09 Jun 2023 10:08:24 +0800
+
 jupyter-core (4.7.1-1) unstable; urgency=medium
 
   * New upstream version 4.7.1
diff -Nru jupyter-core-4.7.1/debian/patches/CVE-2022-39286.patch jupyter-core-4.7.1/debian/patches/CVE-2022-39286.patch
--- jupyter-core-4.7.1/debian/patches/CVE-2022-39286.patch	1970-01-01 00:00:00.000000000 +0000
+++ jupyter-core-4.7.1/debian/patches/CVE-2022-39286.patch	2023-06-09 02:08:15.000000000 +0000
@@ -0,0 +1,94 @@
+From 1118c8ce01800cb689d51f655f5ccef19516e283 Mon Sep 17 00:00:00 2001
+From: Steven Silvester <steven.silvester@ieee.org>
+Date: Wed, 19 Oct 2022 09:05:21 -0500
+Subject: [PATCH] Merge pull request from GHSA-m678-f26j-3hrp
+
+---
+ jupyter_core/application.py            |  2 +-
+ jupyter_core/tests/test_application.py | 38 ++++++++++++++++----------
+ 2 files changed, 24 insertions(+), 16 deletions(-)
+
+Index: jupyter-core-4.7.1/jupyter_core/application.py
+===================================================================
+--- jupyter-core-4.7.1.orig/jupyter_core/application.py
++++ jupyter-core-4.7.1/jupyter_core/application.py
+@@ -68,8 +68,8 @@ class JupyterApp(Application):
+     def config_file_paths(self):
+         path = jupyter_config_path()
+         if self.config_dir not in path:
++            # Insert config dir as first item.
+             path.insert(0, self.config_dir)
+-        path.insert(0, os.getcwd())
+         return path
+     
+     data_dir = Unicode()
+Index: jupyter-core-4.7.1/jupyter_core/tests/test_application.py
+===================================================================
+--- jupyter-core-4.7.1.orig/jupyter_core/tests/test_application.py
++++ jupyter-core-4.7.1/jupyter_core/tests/test_application.py
+@@ -65,25 +65,33 @@ def test_generate_config():
+ 
+ def test_load_config():
+     config_dir = mkdtemp()
+-    wd = mkdtemp()
++    os.environ["JUPYTER_CONFIG_PATH"] = str(config_dir)
+     with open(pjoin(config_dir, 'dummy_app_config.py'), 'w') as f:
+         f.write('c.DummyApp.m = 1\n')
+         f.write('c.DummyApp.n = 1')
+-    with patch.object(os, 'getcwd', lambda : wd):
+-        app = DummyApp(config_dir=config_dir)
+-        app.initialize([])
++
++    app = DummyApp(config_dir=config_dir)
++    app.initialize([])
+ 
+     assert app.n == 1, "Loaded config from config dir"
++    assert app.m == 1, "Loaded config from config dir"
+     
+-    with open(pjoin(wd, 'dummy_app_config.py'), 'w') as f:
+-        f.write('c.DummyApp.n = 2')
++    shutil.rmtree(config_dir)
++    del os.environ["JUPYTER_CONFIG_PATH"]
++
++def test_load_config_no_cwd():
++    config_dir = mkdtemp()
++    wd = mkdtemp()
++    with open(pjoin(wd, "dummy_app_config.py"), "w", encoding="utf-8") as f:
++        f.write("c.DummyApp.m = 1\n")
++        f.write("c.DummyApp.n = 1")
+ 
+     with patch.object(os, 'getcwd', lambda : wd):
+         app = DummyApp(config_dir=config_dir)
+         app.initialize([])
+ 
+-    assert app.m == 1, "Loaded config from config dir"
+-    assert app.n == 2, "Loaded config from CWD"
++    assert app.n == 0
++    assert app.m == 0
+     
+     shutil.rmtree(config_dir)
+     shutil.rmtree(wd)
+@@ -91,17 +99,16 @@ def test_load_config():
+ 
+ def test_load_bad_config():
+     config_dir = mkdtemp()
+-    wd = mkdtemp()
++    os.environ["JUPYTER_CONFIG_PATH"] = str(config_dir)
+     with open(pjoin(config_dir, 'dummy_app_config.py'), 'w') as f:
+         f.write('c.DummyApp.m = "a\n') # Syntax error
+-    with patch.object(os, 'getcwd', lambda : wd):
+-        with pytest.raises(SyntaxError):
+-            app = DummyApp(config_dir=config_dir)
+-            app.raise_config_file_errors=True
+-            app.initialize([])
++    with pytest.raises(SyntaxError):
++        app = DummyApp(config_dir=config_dir)
++        app.raise_config_file_errors=True
++        app.initialize([])
+ 
+     shutil.rmtree(config_dir)
+-    shutil.rmtree(wd)
++    del os.environ["JUPYTER_CONFIG_PATH"]
+ 
+ 
+ def test_runtime_dir_changed():
diff -Nru jupyter-core-4.7.1/debian/patches/series jupyter-core-4.7.1/debian/patches/series
--- jupyter-core-4.7.1/debian/patches/series	2021-02-01 18:39:54.000000000 +0000
+++ jupyter-core-4.7.1/debian/patches/series	2023-06-06 02:41:07.000000000 +0000
@@ -1,2 +1,3 @@
 0003-Disable-sphinxcontrib_github_alt.patch
 0003-Drop-test_jupyter_path_prefer_env.patch
+CVE-2022-39286.patch