Bugzilla – Bug 1217353
VUL-0: CVE-2023-5752: python-pip,python36-pip,python39-pip: Mercurial configuration injectable in repo revision when installing via pip
Last modified: 2024-07-10 13:58:13 UTC
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5752
Also, https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/ and https://github.com/pypa/pip/pull/12306
This is an autogenerated message for OBS integration: This bug (1217353) was mentioned in https://build.opensuse.org/request/show/1127960 Factory / python-pip
Not applicable for SUSE:SLE-12-SP3:Update:Products:Cloud8:Update and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update (pip-9.0.1 doesn’t have the functionality).
SUSE-SU-2023:4988-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1217353 CVE References: CVE-2023-5752 Sources used: openSUSE Leap 15.4 (src): python-pip-22.3.1-150400.17.12.1 openSUSE Leap 15.5 (src): python-pip-22.3.1-150400.17.12.1 Python 3 Module 15-SP4 (src): python-pip-22.3.1-150400.17.12.1 Python 3 Module 15-SP5 (src): python-pip-22.3.1-150400.17.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4987-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1217353 CVE References: CVE-2023-5752 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-pip-10.0.1-13.14.1 SUSE Linux Enterprise Server 12 SP5 (src): python-pip-10.0.1-13.14.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-pip-10.0.1-13.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
That is now in https://build.suse.de/request/show/318437
SUSE-SU-2024:0892-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1217353 CVE References: CVE-2023-5752 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-pip-20.2.4-8.15.1 SUSE Linux Enterprise Server 12 SP5 (src): python36-pip-20.2.4-8.15.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-pip-20.2.4-8.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.