462616 – (CVE-2013-1888) <dev-python/pip-1.3.1: Module Insecure Temporary File Creation Security Issue (CVE-2013-1888)

Bug 462616 (CVE-2013-1888) - <dev-python/pip-1.3.1: Module Insecure Temporary File Creation Security Issue (CVE-2013-1888)

Summary: <dev-python/pip-1.3.1: Module Insecure Temporary File Creation Security Issue...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1888

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/52674/
Whiteboard:	B3 [glsa]
Keywords:

Duplicates (1):	480208 (view as bug list)
Depends on:
Blocks:

Reported:	2013-03-21 18:37 UTC by Agostino Sarubbo
Modified:	2013-09-12 22:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-03-21 18:37:37 UTC

From ${URL} :

Description
A security issue has been reported in Python pip Module, which can be exploited by malicious, local 
users to perform certain actions with escalated privileges.

The security issue is caused due to the application creating temporary files with insecure 
permissions and can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in versions prior to 1.3.


Solution
Update to version 1.3.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
https://github.com/pypa/pip/issues/725

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2013-04-05 04:54:05 UTC

Solution
Update to version 1.3.

Arch teams please stabilize pip-1.3.1

Comment 2 Agostino Sarubbo gentoo-dev

2013-04-06 21:11:38 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2013-04-06 21:22:28 UTC

x86 stable

Comment 4 Sean Amoss (RETIRED) gentoo-dev

2013-04-08 21:28:46 UTC

GLSA vote: yes.

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2013-07-11 20:41:45 UTC

YES too, request filed.

Comment 6 Agostino Sarubbo gentoo-dev

2013-08-07 19:27:28 UTC

*** Bug 480208 has been marked as a duplicate of this bug. ***

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2013-08-28 23:11:32 UTC

CVE-2013-1888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1888):
  pip before 1.3 allows local users to overwrite arbitrary files via a symlink
  attack on a file in the /tmp/pip-build temporary directory.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2013-09-12 22:23:34 UTC

This issue was resolved and addressed in
 GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml
by GLSA coordinator Chris Reffett (creffett).

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2013-09-12 22:24:03 UTC

This issue was resolved and addressed in
 GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml
by GLSA coordinator Chris Reffett (creffett).