[Python-modules-team] Bug#725847: python-pip: DoS by other users on the same system

Paul Wise pabs at debian.org
Wed Oct 9 02:53:33 UTC 2013 

Package: python-pip
Version: 1.4.1-2
Severity: normal
Tags: security
Usertags: tmp

pip uses a non-random per-user build directory that is in /tmp. This
means that any user can prevent any other user from installing packages.
There is the --build-directory option to override this but it isn't
documented in the manual page, only the --help output. It would be much
better to use the tempfile.mkdtemp() to create the build directory.

$ pip install foo
The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!
pip will not work until the temporary folder is either deleted or owned by your user account.
Traceback (most recent call last):
  File "/usr/bin/pip", line 9, in <module>
    load_entry_point('pip==1.4.1', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 345, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2381, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2087, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 10, in <module>
    from pip.util import get_installed_distributions, get_prog
  File "/usr/lib/python2.7/dist-packages/pip/util.py", line 15, in <module>
    from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 92, in <module>
    build_prefix = _get_build_prefix()
  File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 82, in _get_build_prefix
    raise pip.exceptions.InstallationError(msg)
pip.exceptions.InstallationError: The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user!

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-pip depends on:
ii  ca-certificates       20130906
ii  python                2.7.5-5
ii  python-pkg-resources  0.6.49-2
ii  python-setuptools     0.6.49-2

Versions of packages python-pip recommends:
ii  build-essential  11.6
pn  python-dev-all   <none>

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20131009/bbc6d112/attachment.sig>

More information about the Python-modules-team mailing list