oss-sec mailing list archives
Re: Requesting a CVE for pip - Local DoS with predictable temp directory names
From: Donald Stufft <donald () stufft io>
Date: Wed, 19 Nov 2014 14:15:56 -0500
On Nov 17, 2014, at 3:29 PM, Donald Stufft <donald () stufft io> wrote: I'd like to request a CVE for pip[1][2] and I am a core developer for that project. There is a local DoS in pip 1.3, 1.3.1, 1.4, 1.4.1, 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, and 1.5.6. In an attempt to fix CVE-2013-1888 pip modified it's build directories from pip-build to pip-build-<username> and added in checks that would ensure that only a directory owned by the current user would be used. However because the build directory is predictable a local DoS is possible simply by creating a /tmp/pip-build-<username>/ directory owned by someone other than the defined user. This issue has also been reported to the Debian bug tracker as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847. This has been fixed[3] in the develop branch of pip which will be released as pip 6.0. I am not aware of any previous CVE for this issue. [1] https://pip.pypa.io/ [2] https://pypi.python.org/pypi [3] https://github.com/pypa/pip/pull/2122 --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
ping? --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Current thread:
- Requesting a CVE for pip - Local DoS with predictable temp directory names Donald Stufft (Nov 17)
- Re: Requesting a CVE for pip - Local DoS with predictable temp directory names Donald Stufft (Nov 19)
- Re: Requesting a CVE for pip - Local DoS with predictable temp directory names cve-assign (Nov 19)