Bug 923976 - python-pip: insecure temporary directory usage [epel-all]
python-pip: insecure temporary directory usage [epel-all]
Status: MODIFIED
Product: Fedora EPEL
Classification: Fedora
Component: python-pip (Show other bugs)
el6
All Linux
low Severity low
: ---
: ---
Assigned To: Tim Flink
Fedora Extras Quality Assurance
: Security, SecurityTracking
Depends On:
Blocks: CVE-2013-1888
  Show dependency treegraph
 
Reported: 2013-03-20 16:19 EDT by Vincent Danen
Modified: 2013-06-04 16:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-03-20 16:19:34 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]
Comment 1 Vincent Danen 2013-03-20 16:19:47 EDT
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=923974,923976
Comment 2 Fedora Update System 2013-04-26 09:06:19 EDT
python-pip-1.3.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-pip-1.3.1-1.el6
Comment 3 Jon Ciesla 2013-04-26 09:14:16 EDT
Crashes on el5, not updated:

Python 2.4.3 (#1, Jan  9 2013, 06:49:54) 
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pip
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "/usr/lib/python2.4/site-packages/pip/__init__.py", line 12, in ?
    from pip.commands import commands, get_similar_commands, get_summaries
  File "/usr/lib/python2.4/site-packages/pip/commands/__init__.py", line 6, in ?
    from pip.commands.bundle import BundleCommand
  File "/usr/lib/python2.4/site-packages/pip/commands/bundle.py", line 5, in ?
    from pip.commands.install import InstallCommand
  File "/usr/lib/python2.4/site-packages/pip/commands/install.py", line 5, in ?
    from pip.req import InstallRequirement, RequirementSet, parse_requirements
  File "/usr/lib/python2.4/site-packages/pip/req.py", line 1292
    skip_regex = options.skip_requirements_regex if options else None
                                                  ^
SyntaxError: invalid syntax
Comment 4 Fedora Update System 2013-04-26 22:05:04 EDT
Package python-pip-1.3.1-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-pip-1.3.1-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5562/python-pip-1.3.1-1.el6
then log in and leave karma (feedback).
Comment 5 Toshio Ernie Kuratomi 2013-05-31 12:48:40 EDT
talked with tflink on IRC about el5.

He's leaning towards retiring python-pip for EL5.  Then it would be possible for someone interested to create a python26-pip package if they wished.  That would mean that installing modules via pip would only be possible for the python26 interpreter, not the python-2.4 that ships with RHEL5.  But for a lot of developers, that might not be so bad.  If someone really wants pip as an rpm for python-2.4 they'd need to either port the current pip to python-2.4 or backport this security fix, backport pip's change to use pypi's https url and check the SSL hostname, and fix pip's implementation of ssl_match_hostname to either use the python-backports-ssl-match_hostname package or to not be vulnerable to CVE-2013-2099: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c14

Let me know what is decided here so that I can advise the python-virtualenv maintainer what to do for these vulnerabilities and issues in the python-virtualenv epel5 package (which is bundling an this older, insecure version of pip).
Comment 6 Vincent Danen 2013-06-04 16:01:25 EDT
We have no problem with either retiring it or backporting, so I suppose the answer is whether or not anyone wants to invest the effort there.  My personal opinion is that not having python-pip available is better than having it available and unfixed.

Note You need to log in before you can comment on or make changes to this bug.