CVE-2014-8991
https://notcve.org/view.php?id=CVE-2014-8991
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. pip 1.3 hasta 1.5.6 permite a usuarios locales causar una denegación de servicio (prevención de la instalación de paquetes) mediante la creación de un fichero /tmp/pip-build-* para otro usuario. • http://www.openwall.com/lists/oss-security/2014/11/19/17 http://www.openwall.com/lists/oss-security/2014/11/20/6 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/71209 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847 https://github.com/pypa/pip/pull/2122 •
CVE-2013-1888
https://notcve.org/view.php?id=CVE-2013-1888
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. pip anterior a v1.3 permite a los usuarios locales sobrescribir archivos arbitrarios a través de un ataque de enlace simbólico de un archivo en el directorio temporal /tmp/pip-build. • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105952.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105989.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106311.html http://www.openwall.com/lists/oss-security/2013/03/22/10 https://github.com/pypa/pip/issues/725 https://github.com/pypa/pip/pull/734/files https://github.com/pypa/pip/pull/780/files • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2013-1629
https://notcve.org/view.php?id=CVE-2013-1629
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. “pip” anterior a v1.3 utiliza HTTP para recuperar paquetes del repositorio PyPI, y no realiza comprobaciones de integridad en el contenido del paquete, que permite a atacantes man-in-the-middle ejecutar código arbitrario a través de una respuesta diseñada a una operación de "pip install". • http://www.pip-installer.org/en/latest/installing.html http://www.pip-installer.org/en/latest/news.html#changelog http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a https://bugzilla.redhat.com/show_bug.cgi?id=968059 https://github.com/pypa/pip/issues/425 https://github.com/pypa/pip/pull/791/files • CWE-20: Improper Input Validation •