oss-sec mailing list archives
Requesting CVE-ID(s) for Python's pip
From: isis agora lovecruft <isis () torproject org>
Date: Fri, 26 Jul 2013 12:03:16 +0000
I would also like to request CVE assignment(s) for two issues in pip (https://github.com/pypa/pip/), related to Donald Stufft's. First issue: ------------ Python's pip versions 1.4.x and earlier are vulnerable to an Arbitrary Code Execution Attack due to incorrect regexp parsing of external download links in the following functions in pip/index.py: * PackageFinder._get_pages() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L232 * PackageFinder._sort_links() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L272 * PackageFinder._package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L285 * PackageFinder._link_package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L290 Which allow an attacker with the ability to Man-in-the-Middle external package URIs (which often include external HTTP URIs, and can include the module author's personal website, see https://github.com/pypa/pip/commit/a3584d176697bd4c83390de1857679d44389e00d#L0L265) to specify an arbitrarily high package version number and gain code execution. Uptream bugtracker reports: https://github.com/pypa/pip/issues/425#issuecomment-20639993 https://github.com/pypa/pip/issues/425#issuecomment-20640890 Other mentions: https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157 https://paste.debian.net/7309/ This issue is fixed in pip>=1.5.x by Donald Stufft in the following commits: https://github.com/pypa/pip/commit/0e1da584f418ae0088b43d01248572e2ff53d3a1 https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157 Second issue: ------------- Python's pip versions 1.5.x and earlier use MD5 hashes for verification of package integrity against PyPI (which defaults to providing MD5). These issues appear to be unrelated to Donald Stufft's CVE ID request filed earlier today, and additionally unrelated to the following already assigned CVEs: * CVE-2013-1888 Pip builds in /tmp https://security-tracker.debian.org/tracker/CVE-2013-1888 https://bugzilla.redhat.com/show_bug.cgi?id=923974 http://seclists.org/oss-sec/2013/q1/704 * CVE-2013-1629 Pip<1.3.0 uses a default package index without SSL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629 https://bugzilla.redhat.com/show_bug.cgi?id=968059 -- ♥Ⓐ isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Requesting CVE-ID(s) for Python's pip isis agora lovecruft (Jul 26)
- Re: Requesting CVE-ID(s) for Python's pip Donald Stufft (Jul 26)
- Re: Requesting CVE-ID(s) for Python's pip Kurt Seifried (Jul 29)
- Re: Requesting CVE-ID(s) for Python's pip Donald Stufft (Jul 29)
- Re: Requesting CVE-ID(s) for Python's pip isis agora lovecruft (Aug 01)
- Re: Requesting CVE-ID(s) for Python's pip Jeremy Stanley (Aug 01)
- Re: Requesting CVE-ID(s) for Python's pip Kurt Seifried (Jul 29)
- Re: Requesting CVE-ID(s) for Python's pip Daniel Kahn Gillmor (Aug 01)
- Re: Requesting CVE-ID(s) for Python's pip Donald Stufft (Jul 26)