Bug 1868135 (CVE-2019-20916)
| Summary: | CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | cstratak, hhorak, jorton, lbalhar, m.cyprian, metherid, mhayden, mhroncok, mrunge, ncoghlan, orion, python-maint, python-sig, slavek.kabrda, smilner, steve.traylen, tflink, TicoTimo, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-pip 19.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an attacker who controls a malicious server to execute arbitrary code on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-19 20:21:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1868016, 1868136, 1868137, 1868138, 1870184, 1877246, 1877247, 1877248, 1877249, 1877250, 1877251, 1882659, 1882661 | ||
| Bug Blocks: | 1868139 | ||
|
Description
Pedro Sampaio
2020-08-11 19:25:19 UTC
Created python-pip tracking bugs for this issue: Affects: epel-6 [bug 1868136] Created python-pip-epel tracking bugs for this issue: Affects: epel-7 [bug 1868137] Created python-virtualenv tracking bugs for this issue: Affects: epel-6 [bug 1868138] Fixed upstream in version 19.2: """ Prevent pip install <url> from permitting directory traversal if e.g. a malicious server sends a Content-Disposition header with a filename containing ../ or ..\\. (#6413) """ https://pip.pypa.io/en/stable/news/#id219 Upstream PR and commit: https://github.com/pypa/pip/pull/6418 https://github.com/pypa/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace Statement: This issue has been rated as having Moderate impact. Installing software from untrusted servers is strongly discouraged, as it may lead to system compromise regardless of this CVE. This flaw did not affect the versions of `python-pip` in Python 3.8 as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fix for this CVE. Mitigation: Avoid downloading or installing packages from potentially malicious servers via the command-line "pip download" or "pip install". This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20916 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4432 https://access.redhat.com/errata/RHSA-2020:4432 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4654 https://access.redhat.com/errata/RHSA-2020:4654 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5234 https://access.redhat.com/errata/RHSA-2022:5234 |