Bug 1868135 (CVE-2019-20916) - CVE-2019-20916 python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py
Summary: CVE-2019-20916 python-pip: directory traversal in _download_http_url() functi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-20916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1868016 1868136 1868137 1868138 1870184 1877246 1877247 1877248 1877249 1877250 1877251 1882659 1882661
Blocks: 1868139
TreeView+ depends on / blocked
 
Reported: 2020-08-11 19:25 UTC by Pedro Sampaio
Modified: 2023-12-15 18:48 UTC (History)
19 users (show)

Fixed In Version: python-pip 19.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an attacker who controls a malicious server to execute arbitrary code on the system.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4273 0 None None None 2020-10-20 16:00:53 UTC
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:45 UTC
Red Hat Product Errata RHSA-2020:4432 0 None None None 2020-11-04 00:51:30 UTC
Red Hat Product Errata RHSA-2020:4654 0 None None None 2020-11-04 02:42:27 UTC
Red Hat Product Errata RHSA-2022:5234 0 None None None 2022-06-28 09:46:57 UTC

Description Pedro Sampaio 2020-08-11 19:25:19 UTC 
A flaw was found in python-pip. Installing remote packages is vulnerable to directory traversal via Content-Disposition header by a malicious server.

Upstream issue:

https://github.com/pypa/pip/issues/6413
Comment 1 Pedro Sampaio 2020-08-11 19:25:53 UTC 
Created python-pip tracking bugs for this issue:

Affects: epel-6 [bug 1868136]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-7 [bug 1868137]


Created python-virtualenv tracking bugs for this issue:

Affects: epel-6 [bug 1868138]
Comment 5 Tomas Hoger 2020-08-25 15:57:12 UTC 
Fixed upstream in version 19.2:

"""
Prevent pip install <url> from permitting directory traversal if e.g. a malicious server sends a Content-Disposition header with a filename containing ../ or ..\\. (#6413)
"""

https://pip.pypa.io/en/stable/news/#id219

Upstream PR and commit:

https://github.com/pypa/pip/pull/6418
https://github.com/pypa/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
Comment 8 Mauro Matteo Cascella 2020-09-09 09:17:20 UTC 
Statement:

This issue has been rated as having Moderate impact. Installing software from untrusted servers is strongly discouraged, as it may lead to system compromise regardless of this CVE.

This flaw did not affect the versions of `python-pip` in Python 3.8 as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fix for this CVE.
Comment 9 Mauro Matteo Cascella 2020-09-09 09:17:24 UTC 
Mitigation:

Avoid downloading or installing packages from potentially malicious servers via the command-line "pip download" or "pip install".
Comment 15 errata-xmlrpc 2020-10-19 18:05:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
Comment 16 Product Security DevOps Team 2020-10-19 20:21:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20916
Comment 17 errata-xmlrpc 2020-10-20 16:00:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273
Comment 18 errata-xmlrpc 2020-11-04 00:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4432 https://access.redhat.com/errata/RHSA-2020:4432
Comment 19 errata-xmlrpc 2020-11-04 02:42:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4654 https://access.redhat.com/errata/RHSA-2020:4654
Comment 22 errata-xmlrpc 2022-06-28 09:46:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5234 https://access.redhat.com/errata/RHSA-2022:5234
Note You need to log in before you can comment on or make changes to this bug.