Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 26 Jul 2013 11:46:03 -0400
From: Donald Stufft <donald@...fft.io>
To: oss-security@...ts.openwall.com,
 isis@...project.org
Cc: cve-assign@...re.org
Subject: Re: Requesting CVE-ID(s) for Python's pip


On Jul 26, 2013, at 8:03 AM, isis agora lovecruft <isis@...project.org> wrote:

> I would also like to request CVE assignment(s) for two issues in pip
> (https://github.com/pypa/pip/), related to Donald Stufft's.
> 
> First issue:
> ------------
>  Python's pip versions 1.4.x and earlier are vulnerable to an Arbitrary Code
>  Execution Attack due to incorrect regexp parsing of external download links
>  in the following functions in pip/index.py:
> 
>    * PackageFinder._get_pages() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L232
>    * PackageFinder._sort_links() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L272
>    * PackageFinder._package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L285
>    * PackageFinder._link_package_versions() https://github.com/pypa/pip/blob/1.3.X/pip/index.py#L290
> 
>  Which allow an attacker with the ability to Man-in-the-Middle external
>  package URIs (which often include external HTTP URIs, and can include the
>  module author's personal website, see
>  https://github.com/pypa/pip/commit/a3584d176697bd4c83390de1857679d44389e00d#L0L265)
>  to specify an arbitrarily high package version number and gain code
>  execution.
> 
>  Uptream bugtracker reports: https://github.com/pypa/pip/issues/425#issuecomment-20639993
>                              https://github.com/pypa/pip/issues/425#issuecomment-20640890
> 
>  Other mentions: https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157
>                  https://paste.debian.net/7309/
> 
>  This issue is fixed in pip>=1.5.x by Donald Stufft in the following commits:
>  https://github.com/pypa/pip/commit/0e1da584f418ae0088b43d01248572e2ff53d3a1
>  https://github.com/pypa/pip/commit/9ccd5f0bb37508f03e6a19be58af7384eede2157

I'm not sure I understand this one. Is this just the external urls? Technically it wasn't a problem with the regexp's they worked fine. It was just bad behavior inherited from legacy systems. 1.4.x defaults to allowing them but enables people to turn them off, 1.5.x will disallow them by default.

1.3.x and earlier allowed them and offered no way to disable them.

> 
> Second issue:
> -------------
>  Python's pip versions 1.5.x and earlier use MD5 hashes for verification of
>  package integrity against PyPI (which defaults to providing MD5).

Strictly speaking pip doesn't default to any hash. It just uses the hash given to it. Prior to 1.2 it only allowed MD5 but since the release of 1.2 it has allowed any of the guaranteed hashes in python's hash lib.

See: https://github.com/pypa/pip/pull/467

Setuptools has also historically only allowed MD5 but has recently with version 0.9+ enabled similar abilities to setuptools to enable the use of any available hashes as well. Distribute (a fork of setuptools which has now been merged back into setuptools) only supports MD5 in it's older releases.

> 
> These issues appear to be unrelated to Donald Stufft's CVE ID request filed
> earlier today, and additionally unrelated to the following already assigned
> CVEs:
> 
>  * CVE-2013-1888 Pip builds in /tmp 
>    https://security-tracker.debian.org/tracker/CVE-2013-1888
>    https://bugzilla.redhat.com/show_bug.cgi?id=923974
>    http://seclists.org/oss-sec/2013/q1/704
> 
>  * CVE-2013-1629 Pip<1.3.0 uses a default package index without SSL
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
>    https://bugzilla.redhat.com/show_bug.cgi?id=968059
> 
> -- 
> ♥Ⓐ isis agora lovecruft
> _________________________________________________________
> GPG: 4096R/A3ADB67A2CDB8B35
> Current Keys: https://blog.patternsinthevoid.net/isis.txt


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.