Bug 2250765 (CVE-2023-5752)

Summary: CVE-2023-5752 pip: Mercurial configuration injectable in repo revision when installing via pip
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aarif, adudiak, agarcial, aoconnor, apatel, aprice, asegurap, bdettelb, caswilli, davidn, dfreiber, drow, eglynn, epacific, fjansen, hkataria, jburrell, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsamir, jsherril, jtanner, kaycoth, kgaikwad, kshier, lmadsen, mabashia, mburns, mgarciac, mhroncok, mpierce, mrunge, orabin, owatkins, psegedy, rbobbitt, saroy, sdawley, simaishi, smcdonal, stcannon, sthirugn, supatil, teagle, tfister, tsasak, vkrizan, vkumar, vmugicag, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pip 23.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250767, 2250771, 2263291    
Bug Blocks: 2250766    

Description Avinash Hanwate 2023-11-21 04:07:49 UTC 
When installing a package from a Mercurial VCS URL  (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
https://github.com/pypa/pip/pull/12306
Comment 3 Sandipan Roy 2023-11-21 05:20:25 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2250771]
Comment 6 Miro Hrončok 2024-02-07 18:19:01 UTC 
Could you please open Fedora bugzilla for python-pip?
Comment 7 Sandipan Roy 2024-02-08 04:28:25 UTC 
In reply to comment #6:
> Could you please open Fedora bugzilla for python-pip?

Done.
Comment 8 Sandipan Roy 2024-02-08 04:29:36 UTC 
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 2263291]
Comment 9 Miro Hrončok 2024-02-08 07:47:36 UTC 
Thank you!
Comment 11 errata-xmlrpc 2024-06-10 18:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781