Requesting a CVE for pip - Local DoS with predictable temp directory names

[Donald Stufft <donald () stufft io>]

I'd like to request a CVE for pip[1][2] and I am a core developer for that
project.

There is a local DoS in pip 1.3, 1.3.1, 1.4, 1.4.1, 1.5, 1.5.1, 1.5.2, 1.5.3,
1.5.4, 1.5.5, and 1.5.6. In an attempt to fix CVE-2013-1888 pip modified it's
build directories from pip-build to pip-build-<username> and added in checks
that would ensure that only a directory owned by the current user would be
used. However because the build directory is predictable a local DoS is
possible simply by creating a /tmp/pip-build-<username>/ directory owned by
someone other than the defined user. This issue has also been reported to the
Debian bug tracker as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847.

This has been fixed[3] in the develop branch of pip which will be released as
pip 6.0. 

I am not aware of any previous CVE for this issue.

[1] https://pip.pypa.io/
[2] https://pypi.python.org/pypi
[3] https://github.com/pypa/pip/pull/2122

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA