1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202501-03 ] pip: arbitrary configuration injec

    From glsamaker@gentoo.org@21:1/5 to All on Fri Jan 17 08:10:01 2025
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202501-03
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: pip: arbitrary configuration injection
    Date: January 17, 2025
    Bugs: #918427
    ID: 202501-03

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in pip, which could lead to
    arbitrary configuration options being injected.

    Background
    ==========

    pip is a tool for installing and managing Python packages.

    Affected packages
    =================

    Package Vulnerable Unaffected
    -------------- ------------ ------------
    dev-python/pip < 23.3 >= 23.3

    Description
    ===========

    Multiple vulnerabilities have been discovered in pip. Please review the
    CVE identifiers referenced below for details.

    Impact
    ======

    When installing a package from a Mercurial VCS URL (ie "pip install
    hg+..."), the specified Mercurial revision could be used to inject
    arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which
    repository is installed. This vulnerability does not affect users who
    aren't installing from Mercurial.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All pip users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-python/pip-23.3"

    References
    ==========

    [ 1 ] CVE-2023-5752
    https://nvd.nist.gov/vuln/detail/CVE-2023-5752

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202501-03

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2025 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeKAdYACgkQFMQkOaVy +9k3+A/+IURIVUouAsyohAufIoLICbaAT2pC9JPnoWj4VZApzXOU8Bz47uBmiuVg RwVWx+jYBUAITBHeh5zsB3darcwzn+g0r+I2IWtOQqE/OhWs74nnB3Bo9kcqo5Gz F4b7kVrPb1pTPmyrB68c8c/oUgxVwhyQ39KQ7jIVVsOo8NI5xxUFRF5qofbAEDIx WidDtx/ZaBqbfgfGoFZ+UvQ4Uekc5ZagxXXEdvzt1T3tEV+H8ShaudKh+Ok1ntrr T3akbI8r6tSTviZveYOF5DAl34mGOyfwbDKAIaeqA9JONVDSWRH5wgNDLgu99J5+ m8gcc0wqlkhrOAxhnBmdY39x5WLzLr8FhIYRaxi6V3oKkhqMeeELd64rMWdK91ip 4A+lk6hAxlg7OyMNF+X0T8fo5J1+fJ1tHihvwdvFObXxm2cFTbbmKCDGGAick6Ys 9YZVCzmBBoTo9jd5lhlbIsuh30XdqeF69yWczJMXESdkFOavyGB+tw9FgZq1U74b 7tabmhAzHX5xZuz48zg+vX36EmcRWyzy+wtJKM9ySjEqM3h/qcqVZ4O6WcPIJAJY WOctvLSP9RkZUDmod9OLNg0MFN48z6wlRCMBVXN2VruaZqX07ZFkdeKKtE0csH69 tucEzOazyiIAdEXN19iXKvRLZrDM4vBxSI8vZ/0zMlw5SPkKS+g=
    =HWfB
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)