Bug 923976 - python-pip: insecure temporary directory usage [epel-all]
Summary: python-pip: insecure temporary directory usage [epel-all]
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-pip
Version: el6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tim Flink
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: CVE-2013-1888
TreeView+ depends on / blocked
Reported: 2013-03-20 20:19 UTC by Vincent Danen
Modified: 2013-06-04 20:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Last Closed:
Type: ---

Attachments (Terms of Use)

Description Vincent Danen 2013-03-20 20:19:34 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Vincent Danen 2013-03-20 20:19:47 UTC
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:

Comment 2 Fedora Update System 2013-04-26 13:06:19 UTC
python-pip-1.3.1-1.el6 has been submitted as an update for Fedora EPEL 6.

Comment 3 Gwyn Ciesla 2013-04-26 13:14:16 UTC
Crashes on el5, not updated:

Python 2.4.3 (#1, Jan  9 2013, 06:49:54) 
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pip
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "/usr/lib/python2.4/site-packages/pip/__init__.py", line 12, in ?
    from pip.commands import commands, get_similar_commands, get_summaries
  File "/usr/lib/python2.4/site-packages/pip/commands/__init__.py", line 6, in ?
    from pip.commands.bundle import BundleCommand
  File "/usr/lib/python2.4/site-packages/pip/commands/bundle.py", line 5, in ?
    from pip.commands.install import InstallCommand
  File "/usr/lib/python2.4/site-packages/pip/commands/install.py", line 5, in ?
    from pip.req import InstallRequirement, RequirementSet, parse_requirements
  File "/usr/lib/python2.4/site-packages/pip/req.py", line 1292
    skip_regex = options.skip_requirements_regex if options else None
SyntaxError: invalid syntax

Comment 4 Fedora Update System 2013-04-27 02:05:04 UTC
Package python-pip-1.3.1-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-pip-1.3.1-1.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 5 Toshio Ernie Kuratomi 2013-05-31 16:48:40 UTC
talked with tflink on IRC about el5.

He's leaning towards retiring python-pip for EL5.  Then it would be possible for someone interested to create a python26-pip package if they wished.  That would mean that installing modules via pip would only be possible for the python26 interpreter, not the python-2.4 that ships with RHEL5.  But for a lot of developers, that might not be so bad.  If someone really wants pip as an rpm for python-2.4 they'd need to either port the current pip to python-2.4 or backport this security fix, backport pip's change to use pypi's https url and check the SSL hostname, and fix pip's implementation of ssl_match_hostname to either use the python-backports-ssl-match_hostname package or to not be vulnerable to CVE-2013-2099: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c14

Let me know what is decided here so that I can advise the python-virtualenv maintainer what to do for these vulnerabilities and issues in the python-virtualenv epel5 package (which is bundling an this older, insecure version of pip).

Comment 6 Vincent Danen 2013-06-04 20:01:25 UTC
We have no problem with either retiring it or backporting, so I suppose the answer is whether or not anyone wants to invest the effort there.  My personal opinion is that not having python-pip available is better than having it available and unfixed.

Note You need to log in before you can comment on or make changes to this bug.