2250765 – (CVE-2023-5752) CVE-2023-5752 pip: Mercurial configuration injectable in repo revision when installing via pip

Bug 2250765 (CVE-2023-5752) - CVE-2023-5752 pip: Mercurial configuration injectable in repo revision when installing via pip

Summary: CVE-2023-5752 pip: Mercurial configuration injectable in repo revision when i...

Keywords:
Status:	NEW
Alias:	CVE-2023-5752
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2250767 2250771 2263291
Blocks:	2250766
TreeView+	depends on / blocked

Reported:	2023-11-21 04:07 UTC by Avinash Hanwate
Modified:	2024-05-01 15:53 UTC (History)
CC List:	57 users (show)
Fixed In Version:	pip 23.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Python pip package. The pip could allow a local authenticated attacker to bypass security restrictions due to a flaw when installing a package from a Mercurial VCS URL. By sending a specially crafted request, an attacker can inject arbitrary configuration options to the "hg clone" call to modify how and which repository is installed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-11-21 04:07:49 UTC

When installing a package from a Mercurial VCS URL  (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
https://github.com/pypa/pip/pull/12306

Comment 3 Sandipan Roy 2023-11-21 05:20:25 UTC

Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2250771]

Comment 6 Miro Hrončok 2024-02-07 18:19:01 UTC

Could you please open Fedora bugzilla for python-pip?

Comment 7 Sandipan Roy 2024-02-08 04:28:25 UTC

In reply to comment #6:
> Could you please open Fedora bugzilla for python-pip?

Done.

Comment 8 Sandipan Roy 2024-02-08 04:29:36 UTC

Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 2263291]

Comment 9 Miro Hrončok 2024-02-08 07:47:36 UTC

Thank you!

Note You need to log in before you can comment on or make changes to this bug.

aarif
adudiak
agarcial
aoconnor
apatel
aprice
asegurap
bdettelb
caswilli
davidn
dfreiber
dhalasz
drow
eglynn
epacific
fjansen
hkataria
jburrell
jcammara
jhardy
jjoyce
jmitchel
jneedle
jobarker
jsamir
jsherril
jtanner
kaycoth
kgaikwad
kshier
lmadsen
mabashia
mburns
mgarciac
mhroncok
mpierce
mrunge
orabin
osapryki
owatkins
psegedy
rbobbitt
saroy
sdawley
simaishi
smcdonal
stcannon
sthirugn
supatil
teagle
tfister
tsasak
vkrizan
vkumar
vmugicag
yguenane
zsadeh