oss-sec mailing list archives

Re: Requesting a CVE for pip - Local DoS with predictable temp directory names

From: cve-assign () mitre org
Date: Thu, 20 Nov 2014 01:56:52 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

because the build directory is predictable a local DoS is possible
simply by creating a /tmp/pip-build-<username>/ directory owned by
someone other than the defined user

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847
https://github.com/pypa/pip/pull/2122


Use CVE-2014-8991.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbY7BAAoJEKllVAevmvms8tIH/i8+HMV/TYDQcbr1CZfhfUne
3IPnX17hHUKObil3ryDSzm0aFAWNWz0hxHslJecSKNi0iBmLLR/1ItCbIDCZQ18Y
n8Q9ygJiXYTO5AIA3/UU40G8jQ4PE/lS/jXBlGYEvrUFz1gBhylVe5sX5EdxU5su
97Tk6p/f4FhlOE5abrXLG1Ec9jZdkARlW9EnbmInrjXpIppgZFZQp0EVo+BUP9Ea
h5slMIppNkXIAXhqoT+lIOM/A9l5rBP+GQ5YlxaQY8UsGuOfi5coXvbp/iL8ZB7X
nZD1Xy2aTFFNt1YTmBBMJEr2H06Lrd1+F/xSCTiIgMuCG3Fpy9Wg80TxoOuxQ+0=
=rTeG
-----END PGP SIGNATURE-----

Current thread:

Requesting a CVE for pip - Local DoS with predictable temp directory names Donald Stufft (Nov 17)
- Re: Requesting a CVE for pip - Local DoS with predictable temp directory names Donald Stufft (Nov 19)
- Re: Requesting a CVE for pip - Local DoS with predictable temp directory names cve-assign (Nov 19)