Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Mar 2013 14:45:23 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: David Black <disclosure@....org>
Subject: Re: CVE Request: python-pip insecure temporary directory
 handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/22/2013 02:20 AM, David Black wrote:
> On Fri, Mar 22, 2013 at 5:28 PM, Kurt Seifried
> <kseifried@...hat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 03/20/2013 08:13 AM, David Black wrote:
>>> Prior to version 1.3 pip used '/tmp/pip-build' as a temporary 
>>> directory and as per the report in 
>>> https://github.com/pypa/pip/issues/725 would follow a symbolic 
>>> link placed at '/tmp/pip-build' when writing temporary files.
>>> 
>> 
>> Is this the one actually fixed in 
>> https://github.com/pypa/pip/pull/780/files
>> 
>> ? thanks.
> 
> Yes it is.

Please use CVE-2013-1888 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRTMLiAAoJEBYNRVNeJnmTiiwP/Atu7MxcqCiID9Aj2XrAlYZE
JJlFdCWu9f/UDrv7bSgJg9ri6+2lopNpCfy1hV8cUopbVC2T+Xz7ia1b4SlZNgEI
XmasWayo/LxMnJaKiIV3UZuALXSPmMu3sA2wOkn9kCfpPAW7d7CSs4Xi05aEX9Qn
AcSKbPB46jzXl00ADSPc+ayOKh3b++j2FohKLcA37gjtYivt0XJVpZAZ4fRFGzZH
VXpUzh3S2IsCwNUD9yUSkdT+Gzds2p6QnvYopqqF2YFPt+H35AKk3QSFBlDJHesT
fO3Ct5MbP9EYVA9XcmXj/X7K10dJldTF9PKg2bcvc6bmYX8RWzg4ar2VWvgKcCMK
azvZM+CWPnqQYqFUPDq5UA/OzJ4iUG8rej0nVYjEVWu8OL1B/tro6gQ/xuuV0Y3I
aH1pEAo5zJcqSO2LuFNSmGECoYY0XTLtL1Pn3GVP75KCBmd+pFko/pwprwQqdEDk
vqOIwZto+OLuukRHLsX1oFU2EyrAUloW7MsrxyGUvjYeaXywtLS5ad3+QiXrS916
wFCl1K5kfBYRceQvd3y6o0qrWV1N4oreE3L1ESxnJMHvDuP+4qBTCCsHRX9YrtOG
mOzvGATFoOE0MQWlA7ntz5tLc6OY/1t/RZDoqPkIjmt+ThNkHo2XL/4PXD4uRUVa
VbCLDiXX+uVAEi2Txyna
=Y0cv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ