oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Requesting CVE-ID(s) for Python's pip

From: isis agora lovecruft <isis () torproject org>
Date: Thu, 1 Aug 2013 14:03:35 +0000
Donald Stufft transcribed 14K bytes:


On Jul 30, 2013, at 2:29 AM, Kurt Seifried <kseifried () redhat com> wrote:


Signed PGP part
On 07/26/2013 09:46 AM, Donald Stufft wrote:


On Jul 26, 2013, at 8:03 AM, isis agora lovecruft
<isis () torproject org> wrote:


I would also like to request CVE assignment(s) for two issues in
pip (https://github.com/pypa/pip/), related to Donald Stufft's.

First issue: ------------ Python's pip versions 1.4.x and earlier
are vulnerable to an Arbitrary Code Execution Attack due to
incorrect regexp parsing of external download links in the
following functions in pip/index.py:

* PackageFinder._get_pages()
https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L232 *
PackageFinder._sort_links()
https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L272 *
PackageFinder._package_versions()
https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L285 *
PackageFinder._link_package_versions()
https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L290

Which allow an attacker with the ability to Man-in-the-Middle
external package URIs (which often include external HTTP URIs,
and can include the module author's personal website, see 
https://github.com/pypa/pip/commit/a3584d176697bd4c83390de1857679d44389e00d#L0L265)



to specify an arbitrarily high package version number and gain code

execution.

Uptream bugtracker reports:
https://github.com/pypa/pip/issues/425#issuecomment-20639993 
https://github.com/pypa/pip/issues/425#issuecomment-20640890

Other mentions:
https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157



https://paste.debian.net/7309/


This issue is fixed in pip>=1.5.x by Donald Stufft in the
following commits: 
https://github.com/pypa/pip/commit/0e1da584f418ae0088b43d01248572e2ff53d3a1



https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157


I'm not sure I understand this one. Is this just the external urls?
Technically it wasn't a problem with the regexp's they worked fine.
It was just bad behavior inherited from legacy systems. 1.4.x
defaults to allowing them but enables people to turn them off,
1.5.x will disallow them by default.

1.3.x and earlier allowed them and offered no way to disable them.


So it sounds like 1.3.x was definitely vulnerable to this with no way
to disable it, 1.4 was vulnerable by default but could be made safe,
and 1.5 is vulnerable but safe by default, is that correct?


Yes, this is correct.


Yes, assuming this is the unverified external link problem which I believe
it is, except 1.5 is a future version that hasn't happened yet so it's "will" b
 safe by default. As a pip developer, again assuming my understanding
of the request is correct, I do believe a CVE is warranted here.


Second issue: ------------- Python's pip versions 1.5.x and
earlier use MD5 hashes for verification of package integrity
against PyPI (which defaults to providing MD5).


Strictly speaking pip doesn't default to any hash. It just uses the
hash given to it. Prior to 1.2 it only allowed MD5 but since the
release of 1.2 it has allowed any of the guaranteed hashes in
python's hash lib.

See: https://github.com/pypa/pip/pull/467

Setuptools has also historically only allowed MD5 but has recently
with version 0.9+ enabled similar abilities to setuptools to enable
the use of any available hashes as well. Distribute (a fork of
setuptools which has now been merged back into setuptools) only
supports MD5 in it's older releases.


I'm not sure in this case MD5 alone is a security vulnerability, I
think previously it had been decided that just because it uses MD5
wasn't ernough to get a CVE, it had to have some specific use that
made MD5 a problem. 


I wasn't sure if this warranted a CVE either. And, to be fair, Donald Stufft
points out that pip can handle alternate ciphers just fine, it is
pypi.python.org which uses MD5 by default.


OTOH DES is at this point worthy of a CVE since
you can crack it in a reasonable amount of time on AWS/etc for a few
hundred bucks or less. Personally I would assign a CVE to everything
using MD5 by default to try and help kill it off, but that would be a
lot of CVEs.


Marc Stevens recently published a paper on using probabilistic conditionals to
control differential computation for two-block MD5 collisions, claiming that,
on a 3GHz Pentium 4, "with a reasonable probability a collision is found
within mere seconds, allowing for instance an attack during the execution of a
protocol". [0]


This one is the one I'm not really sure about. Pip has supported any hash for
longer then they've offered verified downloads so it's certainly not a problem
there (or rather if it is a problem it's overshadowed by the fact that it wasn't
using TLS or if people manually configured it to do so it wouldn't' verify it).

Setuptools did only support MD5 until recently (and has versions that both
support TLS verification and only MD5 as a hash) however that doesn't
really buy anything until the index server serves a different hash. Currently
PyPI (which I'm also an admin on) continues to serve MD5 and going by
the thread on that discussion list it appears it will continue to do in the future.


References
[0]: Stevens, Marc. "Fast Collision Attack on MD5." 
       IACR Cryptology ePrint Archive 2006 (2006): 104.
       http://crppit.epfl.ch/documentation/Hash_Function/Examples/Code_Project/Documentation/104.pdf     

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: