It was reported [1] that the build directory in pip is predictable, so a local DoS is possible simply by creating a /tmp/pip-build-<username>/ directory owned by someone other than the defined user. Upstream patch that fixes this (will be included in pip 6.0): https://github.com/pypa/pip/pull/2122 [1]: http://seclists.org/oss-sec/2014/q4/655
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Entry from the changelog of upstream version 6.0: Fixed #1964, #1935, #676, Use a randomized and secure default build directory when possible. (PR #2122, CVE-2014-8991) https://pip.pypa.io/en/latest/news.html https://github.com/pypa/pip/pull/2122 https://github.com/pypa/pip/issues/676 https://github.com/pypa/pip/issues/1935 https://github.com/pypa/pip/issues/1964