Re: CVE Request: Insecure Software Download in pip

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2013 03:09 AM, Donald Stufft wrote:
> I'd like to request a CVE for pip
> (https://pypi.python.org/pypi/pip/).
>
> The mirroring support (-M, --use-mirrors) was implemented without
> any sort of authenticity checks and is downloaded over plaintext
> HTTP. Further more by default it will dynamically discover the list
> of available mirrors by querying a DNS entry and extrapolating from
> that data. It does not attempt to use any sort of method of
> securing this querying of the DNS like DNSSEC. Software packages
> are downloaded over these insecure links, unpacked, and then
> typically the setup.py python file inside of them is executed.
>
> The vulnerable code is located at: -
> https://github.com/pypa/pip/blob/develop/pip/index.py#L60-L64 -
> https://github.com/pypa/pip/blob/develop/pip/index.py#L205-L207 -
> https://github.com/pypa/pip/blob/develop/pip/index.py#L553-L572 -
> https://github.com/pypa/pip/blob/develop/pip/index.py#L999-L1024
>
> The affected versions are every released version since 0.8.1 which
> are: 0.8.1, 0.8.2, 0.8.3, 1.0, 1.0.1, 1.0.2, 1.1, 1.2, 1.2.1, 1.3,
> 1.3.1, 1.4
>
> I'm not aware of this issue having ever had a CVE requested for it
> and my attempts to search the CVE database did not appear to turn
> up anything relevant but the search doesn't appear to be the
> greatest so I may have missed it.
>
> I'm hoping to land a patch for this in a future release (current
> iteration of patch available at
> https://github.com/dstufft/pip/compare/remove-mirror-support) but
> there is no planned fix version as of yet.
>
> ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B
> 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Was it supposed to be secure (like was this explicitly supposed to be
all encrypted/etc.)? This sounds more like security hardening than a
security vulnerability.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR83HdAAoJEBYNRVNeJnmTZHAQALOm7lBjIZUCgej+8eW5YVut
f6Z6KiJtJo1m5nITrtAxS9lg7vrwWZ4bg2VhRBT9NQ3kYCP4QHbD80O5jeC2timf
xuelk/qX3htCG0Jl/of9N1VveGGc+IKd96se8QrR5ZdwSu6T5fbdEuXTvAuDSDXf
a2ov7M6tw0K6/78VWrw9iqwpN+qnirfpgeNYtpt9opcQt67YR0YImbvKY/jHGIEz
PrCWRLfsIjNgn4jKo1hDvjtoIo0AJ0cQGAQZi+hZbnK3/KbQK23qAA59OCElD0ZZ
lfdiAbqXEuonyfH/DKA/dpB2kNKRb8rJpGh+SDGMfYFgrQv+Hw7x7DAd0a9js9Oi
JBM9T1kWqTNtwSeN8WrOVVdR7VUKO3Up3+nzsd6et8c/3v2ZDEUgWWxnkA8qWSeS
EaGvSjHWuHeR/DxEoZCQksiceeiWwS3glFVcSqXACH1JKroCU8e//AjB3awOhmkN
cGSArMXGRtkvPwVt/eMmjA8UzXQPjnX+Q2NnkyepLeJuDm2PQPrQkciNAQ3TpfmZ
t9tHO5E0NIfXQ3+W5YJhal4FHjue55ebK4K3ydj/QUiAe7gTFpqkTwA9+azXa8SS
y7O/riAjm/Sr1veGnM3BNK4xGDmrNVdD0Cfjp0nq+CpXWpAqy/TipomsBcW6nPat
R02LjbWbFPuoUAT0+xr4
=1uQa
-----END PGP SIGNATURE-----