From ${URL} : It was reported [1],[2] that pip, a package installer for Python modules, would retrieve code to install in an insecure manner. When pip is used to install a module, that code is retrieved from the internet and then, in the presence of setup.py, is executed. If pip is used as root (e.g. "sudo pip install [module]"), then this code is executed with root permissions. Because pip does not do TLS certificate verification, or package verification, it is trivial for an attacker to perform a MitM attack and cause the user attempting to install a module to execute arbitrary code. As of version 1.3, pip provides SSL certificate verification over HTTPS [3],[4]. [1] https://github.com/pypa/pip/issues/425 [2] http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ [3] https://github.com/pypa/pip/pull/791/files [4] http://www.pip-installer.org/en/latest/logic.html#ssl-certificate-verification @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
pip-1.3.1 has been stabilized in bug 462616.
Added to same GLSA as bug 462616.
CVE-2013-1629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1629): pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.
This issue was resolved and addressed in GLSA 201309-05 at http://security.gentoo.org/glsa/glsa-201309-05.xml by GLSA coordinator Chris Reffett (creffett).
