Red Hat Bugzilla – Bug 923976
python-pip: insecure temporary directory usage [epel-all]
Last modified: 2013-06-04 16:01:25 EDT
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug. This will ensure that all associated bugs get
updated when new packages are pushed to stable.
Please also ensure that the "Close bugs when update is stable" option
Bodhi update submission link:
python-pip-1.3.1-1.el6 has been submitted as an update for Fedora EPEL 6.
Crashes on el5, not updated:
Python 2.4.3 (#1, Jan 9 2013, 06:49:54)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pip
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/lib/python2.4/site-packages/pip/__init__.py", line 12, in ?
from pip.commands import commands, get_similar_commands, get_summaries
File "/usr/lib/python2.4/site-packages/pip/commands/__init__.py", line 6, in ?
from pip.commands.bundle import BundleCommand
File "/usr/lib/python2.4/site-packages/pip/commands/bundle.py", line 5, in ?
from pip.commands.install import InstallCommand
File "/usr/lib/python2.4/site-packages/pip/commands/install.py", line 5, in ?
from pip.req import InstallRequirement, RequirementSet, parse_requirements
File "/usr/lib/python2.4/site-packages/pip/req.py", line 1292
skip_regex = options.skip_requirements_regex if options else None
SyntaxError: invalid syntax
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-pip-1.3.1-1.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
talked with tflink on IRC about el5.
He's leaning towards retiring python-pip for EL5. Then it would be possible for someone interested to create a python26-pip package if they wished. That would mean that installing modules via pip would only be possible for the python26 interpreter, not the python-2.4 that ships with RHEL5. But for a lot of developers, that might not be so bad. If someone really wants pip as an rpm for python-2.4 they'd need to either port the current pip to python-2.4 or backport this security fix, backport pip's change to use pypi's https url and check the SSL hostname, and fix pip's implementation of ssl_match_hostname to either use the python-backports-ssl-match_hostname package or to not be vulnerable to CVE-2013-2099: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c14
Let me know what is decided here so that I can advise the python-virtualenv maintainer what to do for these vulnerabilities and issues in the python-virtualenv epel5 package (which is bundling an this older, insecure version of pip).
We have no problem with either retiring it or backporting, so I suppose the answer is whether or not anyone wants to invest the effort there. My personal opinion is that not having python-pip available is better than having it available and unfixed.