CVE-2013-1629: Input Validation
It was reported [1],[2] that pip, a package installer for Python modules, would retrieve code to install in an insecure manner. When pip is used to install a module, that code is retrieved from the internet and then, in the presence of setup.py, is executed. If pip is used as root (e.g. "sudo pip install [module]"), then this code is executed with root permissions. Because pip does not do TLS certificate verification, or package verification, it is trivial for an attacker to perform a MitM attack and cause the user attempting to install a module to execute arbitrary code. As of version 1.3, pip provides SSL certificate verification over HTTPS [3],[4]. [1] https://github.com/pypa/pip/issues/425 [2] http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ [3] https://github.com/pypa/pip/pull/791/files [4] http://www.pip-installer.org/en/latest/logic.html#ssl-certificate-verification
Affected Software
Remediation
Patch Available
Event History
Frequently Asked Questions
What is the severity of CVE-2013-1629?
CVE-2013-1629 is rated as high severity due to its potential to execute arbitrary code when pip is used insecurely.
How do I fix CVE-2013-1629?
To fix CVE-2013-1629, upgrade pip to version 1.3 or later.
What software is affected by CVE-2013-1629?
CVE-2013-1629 affects pip versions earlier than 1.3.
Can CVE-2013-1629 be exploited in a trusted network?
CVE-2013-1629 can still be exploited in a trusted network if malicious code is executed during the pip installation.
What is the impact of CVE-2013-1629?
The impact of CVE-2013-1629 includes unauthorized execution of code with root privileges if pip is used with sudo.