Bug 14969

Summary: python-pip new security issue CVE-2014-8991
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, makowski.mageia, olchal, ottoleipala1, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628615/
Whiteboard: has_procedure advisory mga4-64-ok MGA4-32-OK
Source RPM: python-pip-1.5.6-7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-01-06 22:02:06 CET 
Fedora has issued an advisory on November 22:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html

CVE-2014-8991 has been issued for this on November 20:
http://openwall.com/lists/oss-security/2014/11/20/6

Fedora has added this patch to 1.5.6 in Fedora 21:
http://pkgs.fedoraproject.org/cgit/python-pip.git/plain/local-dos.patch?h=f21&id=a7c7b123d7d980c2f73096b9956f78c629fc301b

Fedora has not yet addressed this in 1.4.1 in Fedora 20 (the same version we have in Mageia 4), but it is also affected.

Here's the RedHat bug for this (missing from the Fedora advisory):
https://bugzilla.redhat.com/show_bug.cgi?id=1166137

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-06 22:02:15 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Philippe Makowski 2015-01-07 22:39:56 CET 
I updated both

python-pip-1.4.1-4.1.mga4
and
python-pip-1.5.6-8.mga5
Comment 2 David Walser 2015-01-07 23:21:28 CET 
Thanks Philippe!

Advisory:
========================

Updated python-pip packages fix security vulnerability:

pip 1.3 through 1.5.6 allows local users to cause a denial of service
(prevention of package installation) by creating a /tmp/pip-build-* file for
another user (CVE-2014-8991).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8991
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html
http://openwall.com/lists/oss-security/2014/11/20/6
========================

Updated packages in core/updates_testing:
========================
python-pip-1.4.1-4.1.mga4
python3-pip-1.4.1-4.1.mga4

from python-pip-1.4.1-4.1.mga4.src.rpm

CC: (none) => makowski.mageia
Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 claire robinson 2015-01-08 22:34:36 CET 
Pip is used to install and remove python modules from upstream
eg: https://pypi.python.org/pypi

To use, pick a module you don't already have from the list there

I chose circonus. First check it isn't already installed..

# pip list | grep circonus

Install it..
# pip install circonus
Downloading/unpacking circonus
  Downloading circonus-0.0.1.tar.gz
  Running setup.py egg_info for package circonus
    
    Not SVN Repository
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python2.7/site-packages (from circonus)
Installing collected packages: circonus
  Running setup.py install for circonus
    
    Not SVN Repository
Successfully installed circonus
Cleaning up...

Check it..
# pip show circonus
---
Name: circonus
Version: 0.0.1
Location: /usr/lib/python2.7/site-packages
Requires: requests

Remove it..
# pip uninstall circonus
Uninstalling circonus:
  /usr/lib/python2.7/site-packages/circonus-0.0.1-py2.7.egg-info
  /usr/lib/python2.7/site-packages/circonus/__init__.py
  /usr/lib/python2.7/site-packages/circonus/__init__.pyc
  /usr/lib/python2.7/site-packages/circonus/client.py
  /usr/lib/python2.7/site-packages/circonus/client.pyc
  /usr/lib/python2.7/site-packages/circonus/tag.py
  /usr/lib/python2.7/site-packages/circonus/tag.pyc
  /usr/lib/python2.7/site-packages/circonus/util.py
  /usr/lib/python2.7/site-packages/circonus/util.pyc
Proceed (y/n)? y
  Successfully uninstalled circonus

Check it removed ok..
# pip list | grep circonus

Whiteboard: (none) => has_procedure

Comment 4 Herman Viaene 2015-01-09 09:49:46 CET 
MGA4-64 on HP Probook 6555b KDE.
No installation issue.
Running pip list | grep circonus
returns nothing : OK
but
 pip install circonus
Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 134, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 224, in run
    session=session,
NameError: global name 'session' is not defined

Storing complete log in /home/tester4/.pip/pip.log
The log file shows exactly the same. Something missing in my configuration?

CC: (none) => herman.viaene

Comment 5 Philippe Makowski 2015-01-09 09:57:03 CET 
(In reply to Herman Viaene from comment #4)
> MGA4-64 on HP Probook 6555b KDE.
> No installation issue.
> The log file shows exactly the same. Something missing in my configuration?

is that the python-pip-1.4.1-4.1.mga4 version from testing ? or the previous one ?
Comment 7 Otto Leipälä 2015-01-09 10:09:43 CET 
I get same error too try to install it with pip install.

CC: (none) => ozkyster

Comment 8 Philippe Makowski 2015-01-09 11:10:50 CET 
ok thanks, seems then that my patch have something wrong, I'll come back with a new version

Assignee: qa-bugs => makowski.mageia

Comment 9 Philippe Makowski 2015-01-10 18:42:16 CET 
Advisory:
========================

Updated python-pip packages fix security vulnerability:

pip 1.3 through 1.5.6 allows local users to cause a denial of service
(prevention of package installation) by creating a /tmp/pip-build-* file for
another user (CVE-2014-8991).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8991
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html
http://openwall.com/lists/oss-security/2014/11/20/6
========================

Updated packages in core/updates_testing:
========================
python-pip-1.4.1-4.2.mga4
python3-pip-1.4.1-4.2.mga4

from python-pip-1.4.1-4.2.mga4.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 10 Philippe Makowski 2015-01-10 18:46:08 CET 
python-pip-1.4.1-4.2.mga4
tested locally with :
$ pip list | grep firebirdsql
$ su -c 'pip install firebirdsql'
Downloading/unpacking firebirdsql
  Downloading firebirdsql-0.9.6.tar.gz (47kB): 47kB downloaded
  Running setup.py egg_info for package firebirdsql
    
    Not SVN Repository
Installing collected packages: firebirdsql
  Running setup.py install for firebirdsql
    
    Not SVN Repository
Successfully installed firebirdsql
Cleaning up...
$ pip list | grep firebirdsql
firebirdsql (0.9.6)
$ pip show firebirdsql
---
Name: firebirdsql
Version: 0.9.6
Location: /usr/lib/python2.7/site-packages
Requires: 
$ su -c 'pip uninstall firebirdsql'
Uninstalling firebirdsql:
  /usr/lib/python2.7/site-packages/firebirdsql-0.9.6-py2.7.egg-info
  /usr/lib/python2.7/site-packages/firebirdsql/__init__.py
  /usr/lib/python2.7/site-packages/firebirdsql/__init__.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/arc4.py
  /usr/lib/python2.7/site-packages/firebirdsql/arc4.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/consts.py
  /usr/lib/python2.7/site-packages/firebirdsql/consts.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/fbcore.py
  /usr/lib/python2.7/site-packages/firebirdsql/fbcore.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/fberrmsgs.py
  /usr/lib/python2.7/site-packages/firebirdsql/fberrmsgs.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/services.py
  /usr/lib/python2.7/site-packages/firebirdsql/services.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/socketstream.py
  /usr/lib/python2.7/site-packages/firebirdsql/socketstream.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/srp.py
  /usr/lib/python2.7/site-packages/firebirdsql/srp.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/utils.py
  /usr/lib/python2.7/site-packages/firebirdsql/utils.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/wireprotocol.py
  /usr/lib/python2.7/site-packages/firebirdsql/wireprotocol.pyc
  /usr/lib/python2.7/site-packages/firebirdsql/xsqlvar.py
  /usr/lib/python2.7/site-packages/firebirdsql/xsqlvar.pyc
Proceed (y/n)? y
  Successfully uninstalled firebirdsql
$ pip show firebirdsql
$ pip list | grep firebirdsql
Comment 11 olivier charles 2015-01-13 17:07:46 CET 
Testing on Mageia 4x32 real hardware

From current packages (not from first testing package python-pip-1.4.1-4.1.mga4)
---------------------  
python-pip-1.4.1-4.mga4
python3-pip-1.4.1-4.mga4

Pip is already unable to install circonus which is still listed in python packages here : https://pypi.python.org/pypi?%3Aaction=index.
But I can install other packages (firebirdsql, pyebl)

# pip install circonus
Downloading/unpacking circonus
  Downloading circonus-0.0.2.tar.gz
(...)
ImportError: No module named requests.exceptions

----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/circonus
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/circonus
Storing complete log in /root/.pip/pip.log

# pip install firebirdsql
Downloading/unpacking firebirdsql
(...)
Successfully installed firebirdsql
Cleaning up..
# pip show firebirdsql
---
Name: firebirdsql
Version: 0.9.6
Location: /usr/lib/python2.7/site-packages
Requires: 

# pip install pyebl
Downloading/unpacking pyebl
(...)
Successfully installed pyebl
Cleaning up...
# pip list | grep pyebl
pyebl (0.03)
# pip uninstall pyebl
(...)
Successfully uninstalled pyebl

To testing packages :
-------------------
python-pip-1.4.1-4.2.mga4
python3-pip-1.4.1-4.2.mga4

# pip install circonus
Downloading/unpacking circonus
(...)
ImportError: No module named requests.exceptions

----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-i2moio/circonus
Storing complete log in /root/.pip/pip.log

# pip install pyebl
Downloading/unpacking pyebl
(...)
# pip install pyebl
Downloading/unpacking pyebl

# pip list | grep pyebl
pyebl (0.03)

Conclusion :

Updated testing packages don't show any regression on my installation.
There is still a problem installing circonus python package but I'm unable to know if it comes from python-pip or circonus.

CC: (none) => olchal

Comment 12 claire robinson 2015-01-13 17:13:57 CET 
I think it's just missing python-requests Olivier.

urpmi python-requests and try it again.
Comment 13 olivier charles 2015-01-13 18:16:02 CET 
(In reply to claire robinson from comment #12)
> I think it's just missing python-requests Olivier.
> 
> urpmi python-requests and try it again.

I installed python-requests
# rpm -q python-requests
python-requests-2.3.0-1.mga4

but get the same error with either current or updated-testing packages.
Comment 14 olivier charles 2015-01-13 18:20:23 CET 
Sorry, not exactly the same error :
Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-Xrd44D/circonus

instead of :

Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-i2moio/circonus
without python-requests.
Comment 15 claire robinson 2015-01-13 18:37:04 CET 
It looks like pip is working anyway Olivier, circonus fails here too but we don't have to debug circonus. Others such as firebirdsql and pyebl work ok.

The python3-pip will be largely the same to test except the command is python3-pip rather than just pip.

Testing complete mga4 64

# python3-pip install pyebl
Downloading/unpacking pyebl
  Downloading pyebl-0.03.zip (1.1MB): 1.1MB downloaded
  Running setup.py egg_info for package pyebl
    
    Not SVN Repository
Installing collected packages: pyebl
  Running setup.py install for pyebl
    
    Not SVN Repository
Successfully installed pyebl
Cleaning up...

# python3-pip show pyebl
---
Name: pyebl
Version: 0.03
Location: /usr/lib/python3.3/site-packages
Requires: 

# python3-pip uninstall pyebl
Uninstalling pyebl:
  /usr/lib/python3.3/site-packages/pyebl-0.03-py3.3.egg-info
  /usr/lib/python3.3/site-packages/pyebl/__init__.py
  /usr/lib/python3.3/site-packages/pyebl/__pycache__/__init__.cpython-33.pyc
  /usr/lib/python3.3/site-packages/pyebl/__pycache__/drawing.cpython-33.pyc
  /usr/lib/python3.3/site-packages/pyebl/__pycache__/io.cpython-33.pyc
  /usr/lib/python3.3/site-packages/pyebl/__pycache__/shapes.cpython-33.pyc
  /usr/lib/python3.3/site-packages/pyebl/drawing.py
  /usr/lib/python3.3/site-packages/pyebl/io.py
  /usr/lib/python3.3/site-packages/pyebl/shapes.py
Proceed (y/n)? y
  Successfully uninstalled pyebl

# python3-pip show pyebl

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 16 olivier charles 2015-01-13 18:50:19 CET 
Following comment 15 from Claire,

with updated testing package python3-pip-1.4.1-4.2.mga4

# python3-pip install adbpy
# python3-pip show adbpy
# python3-pip uninstall adbpy

All OK

Considering same comment from Claire and disregarding circonus failure, OKing on Mageia4x32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok MGA4-32-OK

Comment 17 claire robinson 2015-01-14 18:35:49 CET 
Validating. Advisory from comment 9 uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2015-01-14 22:56:15 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0023.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED