Bug 918427 (CVE-2023-5752)

Summary:	<dev-python/pip-23.3: mercurial configuration injection on installation
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mgorny, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	917371
Bug Blocks:

Description John Helmert III archtester

2023-11-24 20:41:16 UTC

CVE-2023-5752:

When installing a package from a Mercurial VCS URL  (ie "pip install 
hg+...") with pip prior to v23.3, the specified Mercurial revision could
 be used to inject arbitrary configuration options to the "hg clone" 
call (ie "--config"). Controlling the Mercurial configuration can modify
 how and which repository is installed. This vulnerability does not 
affect users who aren't installing from Mercurial.

Please stabilize 23.3.

Comment 1 Michał Górny archtester

2023-11-25 10:32:02 UTC

cleanup done.

Comment 2 Larry the Git Cow gentoo-dev

2025-01-17 07:08:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2bebd1f6ef19542db597ac157cb68c5918ce711d

commit 2bebd1f6ef19542db597ac157cb68c5918ce711d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2025-01-17 07:08:02 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-01-17 07:08:10 +0000

    [ GLSA 202501-03 ] pip: arbitrary configuration injection
    
    Bug: https://bugs.gentoo.org/918427
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202501-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)