python-pip: CVE-2014-8991: DoS by other users on the same system

Related Vulnerabilities: CVE-2014-8991  

Debian Bug report logs - #725847
python-pip: CVE-2014-8991: DoS by other users on the same system

version graph

Reported by: Paul Wise <pabs@debian.org>

Date: Wed, 9 Oct 2013 02:57:02 UTC

Severity: important

Tags: security

Found in version python-pip/1.4.1-2

Fixed in version python-pip/1.5.6-4

Done: Scott Kitterman <scott@kitterman.com>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/pypa/pip/issues/1852

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#725847; Package python-pip. (Wed, 09 Oct 2013 02:57:06 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Wed, 09 Oct 2013 02:57:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-pip: DoS by other users on the same system
Date: Wed, 09 Oct 2013 10:53:33 +0800
[Message part 1 (text/plain, inline)]
Package: python-pip
Version: 1.4.1-2
Severity: normal
Tags: security
Usertags: tmp

pip uses a non-random per-user build directory that is in /tmp. This
means that any user can prevent any other user from installing packages.
There is the --build-directory option to override this but it isn't
documented in the manual page, only the --help output. It would be much
better to use the tempfile.mkdtemp() to create the build directory.

$ pip install foo
The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!
pip will not work until the temporary folder is either deleted or owned by your user account.
Traceback (most recent call last):
  File "/usr/bin/pip", line 9, in <module>
    load_entry_point('pip==1.4.1', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 345, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2381, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2087, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 10, in <module>
    from pip.util import get_installed_distributions, get_prog
  File "/usr/lib/python2.7/dist-packages/pip/util.py", line 15, in <module>
    from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 92, in <module>
    build_prefix = _get_build_prefix()
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 82, in _get_build_prefix
    raise pip.exceptions.InstallationError(msg)
pip.exceptions.InstallationError: The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-pip depends on:
ii  ca-certificates       20130906
ii  python                2.7.5-5
ii  python-pkg-resources  0.6.49-2
ii  python-setuptools     0.6.49-2

Versions of packages python-pip recommends:
ii  build-essential  11.6
pn  python-dev-all   <none>

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://github.com/pypa/pip/issues/1852'. Request was from Barry Warsaw <barry@debian.org> to control@bugs.debian.org. (Tue, 03 Jun 2014 20:42:11 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#725847; Package python-pip. (Mon, 17 Nov 2014 18:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Donald Stufft <donald@stufft.io>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 17 Nov 2014 18:57:05 GMT) (full text, mbox, link).


Message #12 received at 725847@bugs.debian.org (full text, mbox, reply):

From: Donald Stufft <donald@stufft.io>
To: 725847@bugs.debian.org
Subject: python-pip: DoS by other users on the same system
Date: Mon, 17 Nov 2014 13:53:29 -0500
I just fixed this in pip’s develop branch. It’s not released yet though, but it
will be in pip 6.0.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#725847; Package python-pip. (Thu, 20 Nov 2014 07:06:05 GMT) (full text, mbox, link).


Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Thu, 20 Nov 2014 07:06:05 GMT) (full text, mbox, link).


Message #17 received at 725847@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org
To: donald@stufft.io
Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 725847@bugs.debian.org
Subject: Re: Requesting a CVE for pip - Local DoS with predictable temp directory names
Date: Thu, 20 Nov 2014 01:56:52 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> because the build directory is predictable a local DoS is possible
> simply by creating a /tmp/pip-build-<username>/ directory owned by
> someone other than the defined user
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847
> https://github.com/pypa/pip/pull/2122

Use CVE-2014-8991.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbY7BAAoJEKllVAevmvms8tIH/i8+HMV/TYDQcbr1CZfhfUne
3IPnX17hHUKObil3ryDSzm0aFAWNWz0hxHslJecSKNi0iBmLLR/1ItCbIDCZQ18Y
n8Q9ygJiXYTO5AIA3/UU40G8jQ4PE/lS/jXBlGYEvrUFz1gBhylVe5sX5EdxU5su
97Tk6p/f4FhlOE5abrXLG1Ec9jZdkARlW9EnbmInrjXpIppgZFZQp0EVo+BUP9Ea
h5slMIppNkXIAXhqoT+lIOM/A9l5rBP+GQ5YlxaQY8UsGuOfi5coXvbp/iL8ZB7X
nZD1Xy2aTFFNt1YTmBBMJEr2H06Lrd1+F/xSCTiIgMuCG3Fpy9Wg80TxoOuxQ+0=
=rTeG
-----END PGP SIGNATURE-----



Changed Bug title to 'python-pip: CVE-2014-8991 DoS by other users on the same system' from 'python-pip: DoS by other users on the same system' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Nov 2014 07:12:05 GMT) (full text, mbox, link).


Changed Bug title to 'python-pip: CVE-2014-8991: DoS by other users on the same system' from 'python-pip: CVE-2014-8991 DoS by other users on the same system' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Nov 2014 07:12:10 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#725847; Package python-pip. (Sun, 23 Nov 2014 03:18:05 GMT) (full text, mbox, link).


Acknowledgement sent to Donald Stufft <donald@stufft.io>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Sun, 23 Nov 2014 03:18:05 GMT) (full text, mbox, link).


Message #26 received at 725847@bugs.debian.org (full text, mbox, reply):

From: Donald Stufft <donald@stufft.io>
To: 725847@bugs.debian.org
Subject: python-pip: DoS by other users on the same system
Date: Sat, 22 Nov 2014 22:15:53 -0500
Just a FYI, I back ported this fix to 1.5.6 which should apply pretty easily to
the version of pip in testing and unstable. Essentially it will use a random
and securely created build directory in most every situation except the one
that relies on having a predictable build directory.

The patch is here: https://bpaste.net/show/05df2f100c93

I'm not sure what (if anything) I can do to help get this issue fixed other
than provide that patch.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA




Severity set to 'important' from 'normal' Request was from Scott Kitterman <scott@kitterman.com> to control@bugs.debian.org. (Wed, 03 Dec 2014 19:03:07 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from kitterman@users.alioth.debian.org to control@bugs.debian.org. (Wed, 03 Dec 2014 19:54:04 GMT) (full text, mbox, link).


Reply sent to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility. (Sat, 06 Dec 2014 06:36:05 GMT) (full text, mbox, link).


Notification sent to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer. (Sat, 06 Dec 2014 06:36:05 GMT) (full text, mbox, link).


Message #35 received at 725847-close@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <scott@kitterman.com>
To: 725847-close@bugs.debian.org
Subject: Bug#725847: fixed in python-pip 1.5.6-4
Date: Sat, 06 Dec 2014 06:33:55 +0000
Source: python-pip
Source-Version: 1.5.6-4

We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-pip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Dec 2014 13:46:31 -0500
Source: python-pip
Binary: python-pip python3-pip python-pip-whl
Architecture: source all
Version: 1.5.6-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
 python-pip - alternative Python package installer
 python-pip-whl - alternative Python package installer
 python3-pip - alternative Python package installer - Python 3 version of the pa
Closes: 725847 769930 771794
Changes:
 python-pip (1.5.6-4) unstable; urgency=medium
 .
   * Team upload.
   * Backport upstream fix to use non-predictable download directories
     - Fixes denial of service vector (CVE-2014-8991) (Closes: #725847)
     - Fixes retry failures (Closes: #769930)
   * Add patch (reviewed by upstream, but not commited there yet) to prevent
     pip from removing system python packages (Closes: #771794)
Checksums-Sha1:
 833bc78df6adda5d7b4567fea0ce4f940fc33dec 2339 python-pip_1.5.6-4.dsc
 ce6671b73684babd0ad81027df91a679457ddc0d 18700 python-pip_1.5.6-4.debian.tar.xz
 5ca4cdaa523d9ece454d28ef020aad3b9ce7d1fd 113744 python-pip_1.5.6-4_all.deb
 0d8d8ef2b7bfa02d9bfcfff0b6903c2b9f5fc197 96758 python3-pip_1.5.6-4_all.deb
 988654787702f7b5169220192b071eddf8c0fa8c 125758 python-pip-whl_1.5.6-4_all.deb
Checksums-Sha256:
 ee7a2339f5dbe4c4b153254f2a3e2ac766d72a80e1bebf08efb910c95d9431cf 2339 python-pip_1.5.6-4.dsc
 ca116ab41783c4c18c77d3887cb4fd218711b845fe12b289d4d7573b3d31226e 18700 python-pip_1.5.6-4.debian.tar.xz
 91e6248ad99fdc068878c434d5cd4eb092d910df859d9e2045107c767f3f362b 113744 python-pip_1.5.6-4_all.deb
 c51c35a930cb4487f22a63e1c6a7426802be99b2ca8894f6a0d1d12da0abac48 96758 python3-pip_1.5.6-4_all.deb
 8946a41f70986396d2932e01bd88dbf480dfa309ae08a8051db4a2ff52c19134 125758 python-pip-whl_1.5.6-4_all.deb
Files:
 a0852e2ef14b4bbb50de1bdd159e687c 2339 python optional python-pip_1.5.6-4.dsc
 953eae825364097bd01a50ec05406cfd 18700 python optional python-pip_1.5.6-4.debian.tar.xz
 686379cd38d2ca6f734795c6dc01d7ec 113744 python optional python-pip_1.5.6-4_all.deb
 e35285813e2fc96e9c538200a9c615aa 96758 python optional python3-pip_1.5.6-4_all.deb
 402ffb66182bf4f19fb7f4400fa5565d 125758 python optional python-pip-whl_1.5.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUgqF5AAoJEHjX3vua1ZrxK9kQAMsCMtTfwJx2OF0LQlohwDSQ
b1igGmQXTICrWT0heM08gi/+LMHM88esCqFAQae9PvNOAJxh+HeEtGgwVHijhl/c
CtZH4gMiWBT0hyp9Z5FX/hqpzZEDGDjVr97ITyIJMIvZkeRop0Yd9oUJo8HGmvAs
yiShxbHDC5+yxgpE55za5uEbbC+bW0TINVoMryeodKih8WA1CkrN4KJAWg8iDDFn
cHsz8DLmcDgt27X0EHLnkdUxdaOIi64JWa1+/v+mf+9OQwaBiDCONmHh4fKlTOkq
Z/FYzw+9v40pRuTB7dmSFaosbZ9zpfyT5cXsUc2W26SYK4efVC7CL6NF00hwGAG4
q4adKTmzVMfmnaRIX+iGn+lF+bvfoM+NFNsWF/Ot4fOo7jqx5EHyJeUE8TChuP1N
J893XBmCe3Ea2+z/AZ1OdaFJ5rNCLjaPSK7zbdwWAVOfUdQmRFU8wIWJFTjI8MJM
j1Jk7wT+YAuziF332+Kc0tag5GJCz/GyJefoqUeKk5jSBtB1xX8ajndzPKQpaAnR
NJb8QE2dWeYjs+AuCne6NLmrkTXiAqZe3KQ6ct+2hiBFol8asBTjW1rjhfn9yIV7
PagfZI4ddsGP714Ud+zF1ynDKDkgGodbGrUnhMwN7hY0yJTWczJRhyVp/buJt93C
/llO9EYWOy2NGOChFFEJ
=vsFM
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 08 Jan 2015 07:29:23 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:18:09 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.