Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130726120316.GD6700@patternsinthevoid.net>
Date: Fri, 26 Jul 2013 12:03:16 +0000
From: isis agora lovecruft <isis@...project.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Requesting CVE-ID(s) for Python's pip

I would also like to request CVE assignment(s) for two issues in pip
(https://github.com/pypa/pip/), related to Donald Stufft's.

First issue:
------------
  Python's pip versions 1.4.x and earlier are vulnerable to an Arbitrary Code
  Execution Attack due to incorrect regexp parsing of external download links
  in the following functions in pip/index.py:

    * PackageFinder._get_pages() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L232
    * PackageFinder._sort_links() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L272
    * PackageFinder._package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L285
    * PackageFinder._link_package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L290

  Which allow an attacker with the ability to Man-in-the-Middle external
  package URIs (which often include external HTTP URIs, and can include the
  module author's personal website, see
  https://github.com/pypa/pip/commit/a3584d176697bd4c83390de1857679d44389e00d#L0L265)
  to specify an arbitrarily high package version number and gain code
  execution.

  Uptream bugtracker reports: https://github.com/pypa/pip/issues/425#issuecomment-20639993
                              https://github.com/pypa/pip/issues/425#issuecomment-20640890

  Other mentions: https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157
                  https://paste.debian.net/7309/

  This issue is fixed in pip>=1.5.x by Donald Stufft in the following commits:
  https://github.com/pypa/pip/commit/0e1da584f418ae0088b43d01248572e2ff53d3a1
  https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157

Second issue:
-------------
  Python's pip versions 1.5.x and earlier use MD5 hashes for verification of
  package integrity against PyPI (which defaults to providing MD5).

These issues appear to be unrelated to Donald Stufft's CVE ID request filed
earlier today, and additionally unrelated to the following already assigned
CVEs:

  * CVE-2013-1888 Pip builds in /tmp 
    https://security-tracker.debian.org/tracker/CVE-2013-1888
    https://bugzilla.redhat.com/show_bug.cgi?id=923974
    http://seclists.org/oss-sec/2013/q1/704

  * CVE-2013-1629 Pip<1.3.0 uses a default package index without SSL
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
    https://bugzilla.redhat.com/show_bug.cgi?id=968059

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

Download attachment "signature.asc" of type "application/pgp-signature" (916 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.