| Summary: | <dev-python/pip-1.3.1: Module Insecure Temporary File Creation Security Issue (CVE-2013-1888) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/52674/ | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Solution Update to version 1.3. Arch teams please stabilize pip-1.3.1 amd64 stable x86 stable GLSA vote: yes. YES too, request filed. *** Bug 480208 has been marked as a duplicate of this bug. *** CVE-2013-1888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1888): pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. This issue was resolved and addressed in GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml by GLSA coordinator Chris Reffett (creffett). This issue was resolved and addressed in GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml by GLSA coordinator Chris Reffett (creffett). |
From ${URL} : Description A security issue has been reported in Python pip Module, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the application creating temporary files with insecure permissions and can be exploited to e.g. overwrite arbitrary files via symlink attacks. The security issue is reported in versions prior to 1.3. Solution Update to version 1.3. Provided and/or discovered by Reported by the vendor. Original Advisory https://github.com/pypa/pip/issues/725