Summary: | <dev-python/setuptools-0.8-r1: easy_install insecure installation mechanism (CVE-2013-1633) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=994182 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 479980 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-08-06 19:12:02 UTC
(In reply to Agostino Sarubbo from comment #0) > easy_install in setuptools before 0.7 uses HTTP to retrieve packages > from the PyPI repository, and does not perform integrity checks on > package contents, which allows man-in-the-middle attackers to execute > arbitrary code via a crafted response to the default use of the > product. > > > @maintainer(s): after the bump, in case we need to stabilize the package, > please say explicitly if it is ready for the stabilization or not. I think 0.8 should be the current stable candidate. It's month old, and passes tests with py2.6-3.3. But before stabilization, I'd like to backport my patch from -0.9.8-r1 to it since it fixes serious damage that easy_install is able to do to the system (bug #468378). As for <0.7, I've seen a single package depending on it and it's stevedore-0.8-r1. However, 0.9 is stable so I think we can simply drop it. CVE-2013-1633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1633): easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product. GLSA request filed. This issue was resolved and addressed in GLSA 201310-09 at http://security.gentoo.org/glsa/glsa-201310-09.xml by GLSA coordinator Sean Amoss (ackle). |