Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 480202 (CVE-2013-1629)

Summary: <dev-python/pip-1.3: Insecure installation mechanism (CVE-2013-1629)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/07/26/4
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-08-07 19:20:11 UTC 
From ${URL} :

It was reported [1],[2] that pip, a package installer for Python modules, would retrieve code to 
install in an insecure manner.  When pip is used to install a module, that code is retrieved from 
the internet and then, in the presence of setup.py, is executed.  If pip is used as root (e.g. 
"sudo pip install [module]"), then this code is executed with root permissions.  Because pip does 
not do TLS certificate verification, or package verification, it is trivial for an attacker to 
perform a MitM attack and cause the user attempting to install a module to execute arbitrary code.

As of version 1.3, pip provides SSL certificate verification over HTTPS [3],[4].


[1] https://github.com/pypa/pip/issues/425
[2] http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
[3] https://github.com/pypa/pip/pull/791/files
[4] http://www.pip-installer.org/en/latest/logic.html#ssl-certificate-verification


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-08-19 11:29:35 UTC 
pip-1.3.1 has been stabilized in bug 462616.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-19 23:49:12 UTC 
Added to same GLSA as bug 462616.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:34:08 UTC 
CVE-2013-1629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1629):
  pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and
  does not perform integrity checks on package contents, which allows
  man-in-the-middle attackers to execute arbitrary code via a crafted response
  to a "pip install" operation.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:23:36 UTC 
This issue was resolved and addressed in
 GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-09-12 22:24:05 UTC 
This issue was resolved and addressed in
 GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml
by GLSA coordinator Chris Reffett (creffett).