Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501752 (CVE-2013-5123) - <dev-python/pip-7.0.0: insecure software download with mirroring support
Summary: <dev-python/pip-7.0.0: insecure software download with mirroring support
Alias: CVE-2013-5123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2014-02-19 08:38 UTC by Agostino Sarubbo
Modified: 2016-07-02 05:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-19 08:38:49 UTC
From ${URL} :

The mirroring support (-M, --use-mirrors) was implemented without
any sort of authenticity checks and is downloaded over plaintext
HTTP. Further more by default it will dynamically discover the list of
available mirrors by querying a DNS entry and extrapolating from that
data. It does not attempt to use any sort of method of securing this
querying of the DNS like DNSSEC. Software packages are downloaded over
these insecure links, unpacked, and then typically the python
file inside of them is executed.

It's a pretty long thread originating here:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-11-23 10:07:41 UTC
commit 015c1f58eed5da83e9b4602b91fb34f898c8a3a6
Author: Justin Lecher <>
Date:   Mon Nov 23 10:54:42 2015 +0100

    dev-python/pip: Drop vulnerable versions for CVE-2014-8991 and CVE-2013-5123


    Package-Manager: portage-2.2.25
    Signed-off-by: Justin Lecher <>
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-11-23 10:11:41 UTC

Tree is clean again
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 05:12:35 UTC
This issue was fixed in version 1.5:

1.5 (2014-01-01)

BACKWARD INCOMPATIBLE pip no longer supports the --use-mirrors, -M, and --mirrors flags. The mirroring support has been removed. In order to use a mirror specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. (PR #1098, CVE-2013-5123)

GLSA Vote: No