Bug 1217353 (CVE-2023-5752)

Summary: VUL-0: CVE-2023-5752: python-pip,python36-pip,python39-pip: Mercurial configuration injectable in repo revision when installing via pip
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mcepl, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/383070/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5752:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-21 07:55:56 UTC 
When installing a package from a Mercurial VCS URL  (ie "pip install 
hg+...") with pip prior to v23.3, the specified Mercurial revision could
 be used to inject arbitrary configuration options to the "hg clone" 
call (ie "--config"). Controlling the Mercurial configuration can modify
 how and which repository is installed. This vulnerability does not 
affect users who aren't installing from Mercurial.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5752
Comment 2 OBSbugzilla Bot 2023-11-21 17:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1217353) was mentioned in
https://build.opensuse.org/request/show/1127960 Factory / python-pip
Comment 5 Matej Cepl 2023-11-22 07:25:03 UTC 
Not applicable for SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update (pip-9.0.1 doesn’t have the functionality).
Comment 9 Maintenance Automation 2023-12-28 16:30:02 UTC 
SUSE-SU-2023:4988-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1217353
CVE References: CVE-2023-5752
Sources used:
openSUSE Leap 15.4 (src): python-pip-22.3.1-150400.17.12.1
openSUSE Leap 15.5 (src): python-pip-22.3.1-150400.17.12.1
Python 3 Module 15-SP4 (src): python-pip-22.3.1-150400.17.12.1
Python 3 Module 15-SP5 (src): python-pip-22.3.1-150400.17.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-12-28 16:30:05 UTC 
SUSE-SU-2023:4987-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1217353
CVE References: CVE-2023-5752
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-pip-10.0.1-13.14.1
SUSE Linux Enterprise Server 12 SP5 (src): python-pip-10.0.1-13.14.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-pip-10.0.1-13.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Matej Cepl 2024-01-17 21:44:29 UTC 
That is now in https://build.suse.de/request/show/318437
Comment 13 Maintenance Automation 2024-03-15 08:36:27 UTC 
SUSE-SU-2024:0892-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1217353
CVE References: CVE-2023-5752
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-pip-20.2.4-8.15.1
SUSE Linux Enterprise Server 12 SP5 (src): python36-pip-20.2.4-8.15.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-pip-20.2.4-8.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Andrea Mattiazzo 2024-07-10 13:58:13 UTC 
All done, closing.