Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Jul 2013 12:03:16 +0000
From: isis agora lovecruft <>
Subject: Requesting CVE-ID(s) for Python's pip

I would also like to request CVE assignment(s) for two issues in pip
(, related to Donald Stufft's.

First issue:
  Python's pip versions 1.4.x and earlier are vulnerable to an Arbitrary Code
  Execution Attack due to incorrect regexp parsing of external download links
  in the following functions in pip/

    * PackageFinder._get_pages()
    * PackageFinder._sort_links()
    * PackageFinder._package_versions()
    * PackageFinder._link_package_versions()

  Which allow an attacker with the ability to Man-in-the-Middle external
  package URIs (which often include external HTTP URIs, and can include the
  module author's personal website, see
  to specify an arbitrarily high package version number and gain code

  Uptream bugtracker reports:

  Other mentions:

  This issue is fixed in pip>=1.5.x by Donald Stufft in the following commits:

Second issue:
  Python's pip versions 1.5.x and earlier use MD5 hashes for verification of
  package integrity against PyPI (which defaults to providing MD5).

These issues appear to be unrelated to Donald Stufft's CVE ID request filed
earlier today, and additionally unrelated to the following already assigned

  * CVE-2013-1888 Pip builds in /tmp

  * CVE-2013-1629 Pip<1.3.0 uses a default package index without SSL

 ♥Ⓐ isis agora lovecruft
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys:

Download attachment "signature.asc" of type "application/pgp-signature" (916 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.