CVE-2013-1629

Advisory

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
• https://github.com/pypa/pip/issues/425
• https://github.com/pypa/pip/pull/791/files
• http://www.pip-installer.org/en/latest/installing.html
• http://www.pip-installer.org/en/latest/news.html#changelog
• http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
• https://bugzilla.redhat.com/show_bug.cgi?id=968059