Fedora has issued an advisory on November 22: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html CVE-2014-8991 has been issued for this on November 20: http://openwall.com/lists/oss-security/2014/11/20/6 Fedora has added this patch to 1.5.6 in Fedora 21: http://pkgs.fedoraproject.org/cgit/python-pip.git/plain/local-dos.patch?h=f21&id=a7c7b123d7d980c2f73096b9956f78c629fc301b Fedora has not yet addressed this in 1.4.1 in Fedora 20 (the same version we have in Mageia 4), but it is also affected. Here's the RedHat bug for this (missing from the Fedora advisory): https://bugzilla.redhat.com/show_bug.cgi?id=1166137 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
I updated both python-pip-1.4.1-4.1.mga4 and python-pip-1.5.6-8.mga5
Thanks Philippe! Advisory: ======================== Updated python-pip packages fix security vulnerability: pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user (CVE-2014-8991). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8991 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html http://openwall.com/lists/oss-security/2014/11/20/6 ======================== Updated packages in core/updates_testing: ======================== python-pip-1.4.1-4.1.mga4 python3-pip-1.4.1-4.1.mga4 from python-pip-1.4.1-4.1.mga4.src.rpm
CC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO => (none)
Pip is used to install and remove python modules from upstream eg: https://pypi.python.org/pypi To use, pick a module you don't already have from the list there I chose circonus. First check it isn't already installed.. # pip list | grep circonus Install it.. # pip install circonus Downloading/unpacking circonus Downloading circonus-0.0.1.tar.gz Running setup.py egg_info for package circonus Not SVN Repository Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python2.7/site-packages (from circonus) Installing collected packages: circonus Running setup.py install for circonus Not SVN Repository Successfully installed circonus Cleaning up... Check it.. # pip show circonus --- Name: circonus Version: 0.0.1 Location: /usr/lib/python2.7/site-packages Requires: requests Remove it.. # pip uninstall circonus Uninstalling circonus: /usr/lib/python2.7/site-packages/circonus-0.0.1-py2.7.egg-info /usr/lib/python2.7/site-packages/circonus/__init__.py /usr/lib/python2.7/site-packages/circonus/__init__.pyc /usr/lib/python2.7/site-packages/circonus/client.py /usr/lib/python2.7/site-packages/circonus/client.pyc /usr/lib/python2.7/site-packages/circonus/tag.py /usr/lib/python2.7/site-packages/circonus/tag.pyc /usr/lib/python2.7/site-packages/circonus/util.py /usr/lib/python2.7/site-packages/circonus/util.pyc Proceed (y/n)? y Successfully uninstalled circonus Check it removed ok.. # pip list | grep circonus
Whiteboard: (none) => has_procedure
MGA4-64 on HP Probook 6555b KDE. No installation issue. Running pip list | grep circonus returns nothing : OK but pip install circonus Exception: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 134, in main status = self.run(options, args) File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 224, in run session=session, NameError: global name 'session' is not defined Storing complete log in /home/tester4/.pip/pip.log The log file shows exactly the same. Something missing in my configuration?
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #4) > MGA4-64 on HP Probook 6555b KDE. > No installation issue. > The log file shows exactly the same. Something missing in my configuration? is that the python-pip-1.4.1-4.1.mga4 version from testing ? or the previous one ?
In reply to Comment 5 It is definitely python-pip-1.4.1-4.1.mga4. Are there two versions? I get: urpmq --sources python-pip ftp://ftp.belnet.be/mirror/mageia/distrib/4/x86_64/media/core/release/python-pip-1.4.1-4.mga4.noarch.rpm ftp://ftp.belnet.be/mirror/mageia/distrib/4/x86_64/media/core/updates_testing/python-pip-1.4.1-4.1.mga4.noarch.rpm ftp://ftp.belnet.be/mirror/mageia/distrib/4/i586/media/core/release/python-pip-1.4.1-4.mga4.noarch.rpm
I get same error too try to install it with pip install.
CC: (none) => ozkyster
ok thanks, seems then that my patch have something wrong, I'll come back with a new version
Assignee: qa-bugs => makowski.mageia
Advisory: ======================== Updated python-pip packages fix security vulnerability: pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user (CVE-2014-8991). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8991 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147567.html http://openwall.com/lists/oss-security/2014/11/20/6 ======================== Updated packages in core/updates_testing: ======================== python-pip-1.4.1-4.2.mga4 python3-pip-1.4.1-4.2.mga4 from python-pip-1.4.1-4.2.mga4.src.rpm
Assignee: makowski.mageia => qa-bugs
python-pip-1.4.1-4.2.mga4 tested locally with : $ pip list | grep firebirdsql $ su -c 'pip install firebirdsql' Downloading/unpacking firebirdsql Downloading firebirdsql-0.9.6.tar.gz (47kB): 47kB downloaded Running setup.py egg_info for package firebirdsql Not SVN Repository Installing collected packages: firebirdsql Running setup.py install for firebirdsql Not SVN Repository Successfully installed firebirdsql Cleaning up... $ pip list | grep firebirdsql firebirdsql (0.9.6) $ pip show firebirdsql --- Name: firebirdsql Version: 0.9.6 Location: /usr/lib/python2.7/site-packages Requires: $ su -c 'pip uninstall firebirdsql' Uninstalling firebirdsql: /usr/lib/python2.7/site-packages/firebirdsql-0.9.6-py2.7.egg-info /usr/lib/python2.7/site-packages/firebirdsql/__init__.py /usr/lib/python2.7/site-packages/firebirdsql/__init__.pyc /usr/lib/python2.7/site-packages/firebirdsql/arc4.py /usr/lib/python2.7/site-packages/firebirdsql/arc4.pyc /usr/lib/python2.7/site-packages/firebirdsql/consts.py /usr/lib/python2.7/site-packages/firebirdsql/consts.pyc /usr/lib/python2.7/site-packages/firebirdsql/fbcore.py /usr/lib/python2.7/site-packages/firebirdsql/fbcore.pyc /usr/lib/python2.7/site-packages/firebirdsql/fberrmsgs.py /usr/lib/python2.7/site-packages/firebirdsql/fberrmsgs.pyc /usr/lib/python2.7/site-packages/firebirdsql/services.py /usr/lib/python2.7/site-packages/firebirdsql/services.pyc /usr/lib/python2.7/site-packages/firebirdsql/socketstream.py /usr/lib/python2.7/site-packages/firebirdsql/socketstream.pyc /usr/lib/python2.7/site-packages/firebirdsql/srp.py /usr/lib/python2.7/site-packages/firebirdsql/srp.pyc /usr/lib/python2.7/site-packages/firebirdsql/utils.py /usr/lib/python2.7/site-packages/firebirdsql/utils.pyc /usr/lib/python2.7/site-packages/firebirdsql/wireprotocol.py /usr/lib/python2.7/site-packages/firebirdsql/wireprotocol.pyc /usr/lib/python2.7/site-packages/firebirdsql/xsqlvar.py /usr/lib/python2.7/site-packages/firebirdsql/xsqlvar.pyc Proceed (y/n)? y Successfully uninstalled firebirdsql $ pip show firebirdsql $ pip list | grep firebirdsql
Testing on Mageia 4x32 real hardware From current packages (not from first testing package python-pip-1.4.1-4.1.mga4) --------------------- python-pip-1.4.1-4.mga4 python3-pip-1.4.1-4.mga4 Pip is already unable to install circonus which is still listed in python packages here : https://pypi.python.org/pypi?%3Aaction=index. But I can install other packages (firebirdsql, pyebl) # pip install circonus Downloading/unpacking circonus Downloading circonus-0.0.2.tar.gz (...) ImportError: No module named requests.exceptions ---------------------------------------- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/circonus Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip_build_root/circonus Storing complete log in /root/.pip/pip.log # pip install firebirdsql Downloading/unpacking firebirdsql (...) Successfully installed firebirdsql Cleaning up.. # pip show firebirdsql --- Name: firebirdsql Version: 0.9.6 Location: /usr/lib/python2.7/site-packages Requires: # pip install pyebl Downloading/unpacking pyebl (...) Successfully installed pyebl Cleaning up... # pip list | grep pyebl pyebl (0.03) # pip uninstall pyebl (...) Successfully uninstalled pyebl To testing packages : ------------------- python-pip-1.4.1-4.2.mga4 python3-pip-1.4.1-4.2.mga4 # pip install circonus Downloading/unpacking circonus (...) ImportError: No module named requests.exceptions ---------------------------------------- Cleaning up... Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-i2moio/circonus Storing complete log in /root/.pip/pip.log # pip install pyebl Downloading/unpacking pyebl (...) # pip install pyebl Downloading/unpacking pyebl # pip list | grep pyebl pyebl (0.03) Conclusion : Updated testing packages don't show any regression on my installation. There is still a problem installing circonus python package but I'm unable to know if it comes from python-pip or circonus.
CC: (none) => olchal
I think it's just missing python-requests Olivier. urpmi python-requests and try it again.
(In reply to claire robinson from comment #12) > I think it's just missing python-requests Olivier. > > urpmi python-requests and try it again. I installed python-requests # rpm -q python-requests python-requests-2.3.0-1.mga4 but get the same error with either current or updated-testing packages.
Sorry, not exactly the same error : Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-Xrd44D/circonus instead of : Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-i2moio/circonus without python-requests.
It looks like pip is working anyway Olivier, circonus fails here too but we don't have to debug circonus. Others such as firebirdsql and pyebl work ok. The python3-pip will be largely the same to test except the command is python3-pip rather than just pip. Testing complete mga4 64 # python3-pip install pyebl Downloading/unpacking pyebl Downloading pyebl-0.03.zip (1.1MB): 1.1MB downloaded Running setup.py egg_info for package pyebl Not SVN Repository Installing collected packages: pyebl Running setup.py install for pyebl Not SVN Repository Successfully installed pyebl Cleaning up... # python3-pip show pyebl --- Name: pyebl Version: 0.03 Location: /usr/lib/python3.3/site-packages Requires: # python3-pip uninstall pyebl Uninstalling pyebl: /usr/lib/python3.3/site-packages/pyebl-0.03-py3.3.egg-info /usr/lib/python3.3/site-packages/pyebl/__init__.py /usr/lib/python3.3/site-packages/pyebl/__pycache__/__init__.cpython-33.pyc /usr/lib/python3.3/site-packages/pyebl/__pycache__/drawing.cpython-33.pyc /usr/lib/python3.3/site-packages/pyebl/__pycache__/io.cpython-33.pyc /usr/lib/python3.3/site-packages/pyebl/__pycache__/shapes.cpython-33.pyc /usr/lib/python3.3/site-packages/pyebl/drawing.py /usr/lib/python3.3/site-packages/pyebl/io.py /usr/lib/python3.3/site-packages/pyebl/shapes.py Proceed (y/n)? y Successfully uninstalled pyebl # python3-pip show pyebl
Whiteboard: has_procedure => has_procedure mga4-64-ok
Following comment 15 from Claire, with updated testing package python3-pip-1.4.1-4.2.mga4 # python3-pip install adbpy # python3-pip show adbpy # python3-pip uninstall adbpy All OK Considering same comment from Claire and disregarding circonus failure, OKing on Mageia4x32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok MGA4-32-OK
Validating. Advisory from comment 9 uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok MGA4-32-OK => has_procedure advisory mga4-64-ok MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0023.html
Status: NEW => RESOLVEDResolution: (none) => FIXED