python-pip: CVE-2014-8991: DoS by other users on the same system

Debian Bug report logs - #725847
python-pip: CVE-2014-8991: DoS by other users on the same system

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-pip: DoS by other users on the same system

Date: Wed, 09 Oct 2013 10:53:33 +0800

[Message part 1 (text/plain, inline)]

Package: python-pip
Version: 1.4.1-2
Severity: normal
Tags: security
Usertags: tmp

pip uses a non-random per-user build directory that is in /tmp. This
means that any user can prevent any other user from installing packages.
There is the --build-directory option to override this but it isn't
documented in the manual page, only the --help output. It would be much
better to use the tempfile.mkdtemp() to create the build directory.

$ pip install foo
The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!
pip will not work until the temporary folder is either deleted or owned by your user account.
Traceback (most recent call last):
  File "/usr/bin/pip", line 9, in <module>
    load_entry_point('pip==1.4.1', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 345, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2381, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2087, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 10, in <module>
    from pip.util import get_installed_distributions, get_prog
  File "/usr/lib/python2.7/dist-packages/pip/util.py", line 15, in <module>
    from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 92, in <module>
    build_prefix = _get_build_prefix()
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 82, in _get_build_prefix
    raise pip.exceptions.InstallationError(msg)
pip.exceptions.InstallationError: The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-pip depends on:
ii  ca-certificates       20130906
ii  python                2.7.5-5
ii  python-pkg-resources  0.6.49-2
ii  python-setuptools     0.6.49-2

Versions of packages python-pip recommends:
ii  build-essential  11.6
pn  python-dev-all   <none>

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 725847@bugs.debian.org (full text, mbox, reply):

From: Donald Stufft <donald@stufft.io>

To: 725847@bugs.debian.org

Subject: python-pip: DoS by other users on the same system

Date: Mon, 17 Nov 2014 13:53:29 -0500

I just fixed this in pip’s develop branch. It’s not released yet though, but it
will be in pip 6.0.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Message #17 received at 725847@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: donald@stufft.io

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 725847@bugs.debian.org

Subject: Re: Requesting a CVE for pip - Local DoS with predictable temp directory names

Date: Thu, 20 Nov 2014 01:56:52 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> because the build directory is predictable a local DoS is possible
> simply by creating a /tmp/pip-build-<username>/ directory owned by
> someone other than the defined user
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847
> https://github.com/pypa/pip/pull/2122

Use CVE-2014-8991.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbY7BAAoJEKllVAevmvms8tIH/i8+HMV/TYDQcbr1CZfhfUne
3IPnX17hHUKObil3ryDSzm0aFAWNWz0hxHslJecSKNi0iBmLLR/1ItCbIDCZQ18Y
n8Q9ygJiXYTO5AIA3/UU40G8jQ4PE/lS/jXBlGYEvrUFz1gBhylVe5sX5EdxU5su
97Tk6p/f4FhlOE5abrXLG1Ec9jZdkARlW9EnbmInrjXpIppgZFZQp0EVo+BUP9Ea
h5slMIppNkXIAXhqoT+lIOM/A9l5rBP+GQ5YlxaQY8UsGuOfi5coXvbp/iL8ZB7X
nZD1Xy2aTFFNt1YTmBBMJEr2H06Lrd1+F/xSCTiIgMuCG3Fpy9Wg80TxoOuxQ+0=
=rTeG
-----END PGP SIGNATURE-----

Message #26 received at 725847@bugs.debian.org (full text, mbox, reply):

From: Donald Stufft <donald@stufft.io>

To: 725847@bugs.debian.org

Subject: python-pip: DoS by other users on the same system

Date: Sat, 22 Nov 2014 22:15:53 -0500

Just a FYI, I back ported this fix to 1.5.6 which should apply pretty easily to
the version of pip in testing and unstable. Essentially it will use a random
and securely created build directory in most every situation except the one
that relies on having a predictable build directory.

The patch is here: https://bpaste.net/show/05df2f100c93

I'm not sure what (if anything) I can do to help get this issue fixed other
than provide that patch.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Message #35 received at 725847-close@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <scott@kitterman.com>

To: 725847-close@bugs.debian.org

Subject: Bug#725847: fixed in python-pip 1.5.6-4

Date: Sat, 06 Dec 2014 06:33:55 +0000

Source: python-pip
Source-Version: 1.5.6-4

We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated python-pip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 03 Dec 2014 13:46:31 -0500
Source: python-pip
Binary: python-pip python3-pip python-pip-whl
Architecture: source all
Version: 1.5.6-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Description:
 python-pip - alternative Python package installer
 python-pip-whl - alternative Python package installer
 python3-pip - alternative Python package installer - Python 3 version of the pa
Closes: 725847 769930 771794
Changes:
 python-pip (1.5.6-4) unstable; urgency=medium
 .
   * Team upload.
   * Backport upstream fix to use non-predictable download directories
     - Fixes denial of service vector (CVE-2014-8991) (Closes: #725847)
     - Fixes retry failures (Closes: #769930)
   * Add patch (reviewed by upstream, but not commited there yet) to prevent
     pip from removing system python packages (Closes: #771794)
Checksums-Sha1:
 833bc78df6adda5d7b4567fea0ce4f940fc33dec 2339 python-pip_1.5.6-4.dsc
 ce6671b73684babd0ad81027df91a679457ddc0d 18700 python-pip_1.5.6-4.debian.tar.xz
 5ca4cdaa523d9ece454d28ef020aad3b9ce7d1fd 113744 python-pip_1.5.6-4_all.deb
 0d8d8ef2b7bfa02d9bfcfff0b6903c2b9f5fc197 96758 python3-pip_1.5.6-4_all.deb
 988654787702f7b5169220192b071eddf8c0fa8c 125758 python-pip-whl_1.5.6-4_all.deb
Checksums-Sha256:
 ee7a2339f5dbe4c4b153254f2a3e2ac766d72a80e1bebf08efb910c95d9431cf 2339 python-pip_1.5.6-4.dsc
 ca116ab41783c4c18c77d3887cb4fd218711b845fe12b289d4d7573b3d31226e 18700 python-pip_1.5.6-4.debian.tar.xz
 91e6248ad99fdc068878c434d5cd4eb092d910df859d9e2045107c767f3f362b 113744 python-pip_1.5.6-4_all.deb
 c51c35a930cb4487f22a63e1c6a7426802be99b2ca8894f6a0d1d12da0abac48 96758 python3-pip_1.5.6-4_all.deb
 8946a41f70986396d2932e01bd88dbf480dfa309ae08a8051db4a2ff52c19134 125758 python-pip-whl_1.5.6-4_all.deb
Files:
 a0852e2ef14b4bbb50de1bdd159e687c 2339 python optional python-pip_1.5.6-4.dsc
 953eae825364097bd01a50ec05406cfd 18700 python optional python-pip_1.5.6-4.debian.tar.xz
 686379cd38d2ca6f734795c6dc01d7ec 113744 python optional python-pip_1.5.6-4_all.deb
 e35285813e2fc96e9c538200a9c615aa 96758 python optional python3-pip_1.5.6-4_all.deb
 402ffb66182bf4f19fb7f4400fa5565d 125758 python optional python-pip-whl_1.5.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUgqF5AAoJEHjX3vua1ZrxK9kQAMsCMtTfwJx2OF0LQlohwDSQ
b1igGmQXTICrWT0heM08gi/+LMHM88esCqFAQae9PvNOAJxh+HeEtGgwVHijhl/c
CtZH4gMiWBT0hyp9Z5FX/hqpzZEDGDjVr97ITyIJMIvZkeRop0Yd9oUJo8HGmvAs
yiShxbHDC5+yxgpE55za5uEbbC+bW0TINVoMryeodKih8WA1CkrN4KJAWg8iDDFn
cHsz8DLmcDgt27X0EHLnkdUxdaOIi64JWa1+/v+mf+9OQwaBiDCONmHh4fKlTOkq
Z/FYzw+9v40pRuTB7dmSFaosbZ9zpfyT5cXsUc2W26SYK4efVC7CL6NF00hwGAG4
q4adKTmzVMfmnaRIX+iGn+lF+bvfoM+NFNsWF/Ot4fOo7jqx5EHyJeUE8TChuP1N
J893XBmCe3Ea2+z/AZ1OdaFJ5rNCLjaPSK7zbdwWAVOfUdQmRFU8wIWJFTjI8MJM
j1Jk7wT+YAuziF332+Kc0tag5GJCz/GyJefoqUeKk5jSBtB1xX8ajndzPKQpaAnR
NJb8QE2dWeYjs+AuCne6NLmrkTXiAqZe3KQ6ct+2hiBFol8asBTjW1rjhfn9yIV7
PagfZI4ddsGP714Ud+zF1ynDKDkgGodbGrUnhMwN7hY0yJTWczJRhyVp/buJt93C
/llO9EYWOy2NGOChFFEJ
=vsFM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.