/tmp/pip-build not secure #725

Closed
guettli opened this Issue Nov 15, 2012 · 5 comments

Comments

Projects
None yet
4 participants

guettli commented Nov 15, 2012

Well known temporary file names like /tmp/pip-build are insecure.

eviluser@host:~$ ln -s /home/otheruser/some-directory /tmp/pip-build

otheruser@host:~$ pip install ....

--> pip writes in /home/otheruser/some-directory. The user "otheruser" does not know it.

I tried it with pip 1.2.1 and content was written to /home/otheruser/some-directory.

Contributor

pnasrat commented Nov 15, 2012

Can you check develop branch of pip I believe pull #516 would have fixed this.

guettli commented Nov 15, 2012

/tmp/pip-build is still used and can be abused by the way I posted above.

I tried it just some minutes ago with current git branch develop.

You can see it here, too:

strace -f pip install --user foo 2> tmp/strace-pip.log

d1b added a commit to d1b/pip that referenced this issue Nov 23, 2012

Fix #725 and #516.
Signed-off-by: David <db@d1b.org>
Contributor

d1b commented Nov 23, 2012

@guettli I believe #734 fixes this issue.

Contributor

qwcode commented Nov 24, 2012

to be explicit, for anyone coming to this, the main reason for a consistent build directory name, is for the pip install --no-install/--no-download workflow which assumes a consistent directory to work off of between seperate executions of pip. pull #734 seems like a good approach in that it tries to be secure and use a consistent name.

d1b added a commit to d1b/pip that referenced this issue Jan 25, 2013

Fix #725 and #729.
Signed-off-by: David <db@d1b.org>

@qwcode qwcode closed this in 61cc16d Jan 26, 2013

Contributor

qwcode commented Jan 26, 2013

addressed in pull #780

@pyup-vuln-bot pyup-vuln-bot referenced this issue in pyupio/safety-db Oct 14, 2016

Merged

CVE-2013-1888 #387

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment