| Summary: | python-pip new security issue CVE-2013-5123 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, makowski.mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/641426/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | python-pip-1.4.1-4.2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-22 18:15:18 CEST
Yes python-virtualenv bundles pip so python-virtualenv and python-pip and python3-pip need to be checked
David Walser
2015-04-22 19:30:23 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/641426/ Upstream changelog lists this issue as fixed in upstream version 1.5: BACKWARD INCOMPATIBLE pip no longer supports the --use-mirrors, -M, and --mirrors flags. The mirroring support has been removed. In order to use a mirror specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. (PR #1098, CVE-2013-5123) https://pip.pypa.io/en/latest/news.html https://github.com/pypa/pip/pull/1098 but reading this the news, I see that 6.1.0 fix also CVE-2015-2296 I suggest to have in mga4 virtualenv-1.11.6 and pip 1.5.6 cauldron virtualenv-12.1.1 and pip 6.1.1 hum, that's the usual nightmare with bundles ... seems that the safest is to update mga4 and cauldron to virtualenv-12.1.1 and pip 6.1.1 but we really need to look at the Debian packages to use the .whl files for de-vendorized dependencies. Freeze push asked for python-pip python-pip-6.1.1-1.mga4 is in testing Freeze push asked for python-virtualenv python-virtualenv-12.1.1-1.mga4 is in testing (In reply to Philippe Makowski from comment #2) > but reading this the news, I see that 6.1.0 fix also CVE-2015-2296 That CVE was in python-requests. The news says they upgraded their bundled copy. Does our python-pip bundle it? Advisory: ======================== Updated python-pip and python-virtualenv packages fix security vulnerability: The mirroring support in python-pip was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed (CVE-2013-5123). This was fixed in python-pip by removing the mirroring support (i.e., the --use-mirrors, -M, and --mirrors flags). With the updated version, in order to use a mirror, one must specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. The python-virtualenv package bundles a copy of python-pip, so it has also been updated to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5123 https://pip.pypa.io/en/latest/news.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html ======================== Updated packages in core/updates_testing: ======================== python-pip-6.1.1-1.mga4 python3-pip-6.1.1-1.mga4 python-virtualenv-12.1.1-1.mga4 from SRPMS: python-pip-6.1.1-1.mga4.src.rpm python-virtualenv-12.1.1-1.mga4.src.rpm CC:
(none) =>
makowski.mageia (In reply to David Walser from comment #7) > (In reply to Philippe Makowski from comment #2) > > but reading this the news, I see that 6.1.0 fix also CVE-2015-2296 > > That CVE was in python-requests. The news says they upgraded their bundled > copy. Does our python-pip bundle it? unfortunatly yes, that's also why I choosed to update to this version for next realeases I will look closer to the Debian way using wheel to unbundle all this, but that's need some work and tests Thanks Philippe! What a mess :o) Advisory: ======================== Updated python-pip and python-virtualenv packages fix security vulnerability: The mirroring support in python-pip was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed (CVE-2013-5123). This was fixed in python-pip by removing the mirroring support (i.e., the --use-mirrors, -M, and --mirrors flags). With the updated version, in order to use a mirror, one must specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. The python-virtualenv package bundles a copy of python-pip, so it has also been updated to fix this issue. The python-virtualenv package bundles python-requests as well, so this update fixes the session fixation issue CVE-2015-2296 in the bundled python-requests. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5123 https://pip.pypa.io/en/latest/news.html http://advisories.mageia.org/MGASA-2015-0120.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html Procedures: pip - https://bugs.mageia.org/show_bug.cgi?id=14969#c3 virtualenv - https://bugs.mageia.org/show_bug.cgi?id=10761#c2
claire robinson
2015-04-30 16:00:54 CEST
Whiteboard:
(none) =>
has_procedure Testing complete mga4 64 To test python3-pip just replace 'pip' in the procedure with 'python3-pip'. Whiteboard:
has_procedure =>
has_procedure mga4-64-ok MGA4-32 on AcerD620 Xfce
Seems OK, as shown by results:
pip list | grep firebirdsql
[xxxx@yyyy ~]# pip install firebirdsql
Collecting firebirdsql
Downloading firebirdsql-0.9.7.tar.gz (47kB)
100% |ââââââââââââââââââââââââââââââââ| 49kB 472kB/s
Installing collected packages: firebirdsql
Running setup.py install for firebirdsql
Successfully installed firebirdsql-0.9.7
pip uninstall firebirdsql
Uninstalling firebirdsql-0.9.7:
/usr/lib/python2.7/site-packages/firebirdsql-0.9.7-py2.7.egg-info
/usr/lib/python2.7/site-packages/firebirdsql/__init__.py
..and some more ......
Proceed (y/n)? y
Successfully uninstalled firebirdsql-0.9.7
same results with python3-pip
and
mkdir test
[xxxx@yyyy ~]# cd test
[xxxx@yyyy test]# virtualenv --distribute .
New python executable in ./bin/python
Installing setuptools, pip...done.
[xxxx@yyyy test]# source bin/activate
(test)[xxxx@yyyy test]# pip install circonus
Collecting circonus
Downloading circonus-0.0.22.tar.gz
Collecting colour (from circonus)
Downloading colour-0.1.1.tar.gz
Collecting requests (from circonus)
Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
100% |ââââââââââââââââââââââââââââââââ| 471kB 215kB/s
Installing collected packages: colour, requests, circonus
Running setup.py install for colour
Running setup.py install for circonus
Successfully installed circonus-0.0.22 colour-0.1.1 requests-2.6.2
(test)[xxxx@yyyy test]# pip uninstall circonus
Uninstalling circonus-0.0.22:
/root/test/lib/python2.7/site-packages/circonus-0.0.22-py2.7.egg-info
...and some more....
Proceed (y/n)? y
Successfully uninstalled circonus-0.0.22CC:
(none) =>
herman.viaene Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0180.html Status:
NEW =>
RESOLVED |