pip does not verify SSL certificates

Reported by Evan Broder on 2012-06-20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-pip (Ubuntu)

Bug Description

pip uses urllib2 to fetch packages, which means that it doesn't do any SSL cert verification.

At some level this is just the cost of urllib2 sucking. I wasn't able to find any prior actions from the security team on urllib2 not doing certificate validation, so I'm naively guessing that it's being accepted as the cost of doing business. But I think it's particularly concerning for pip, since it downloads and installs code onto the system.

I've attached a quickly hacked together patch that overrides httplib.HTTPConnection.connect, which is actually responsible for the SSL handshake. The added verification is backported from Python 3.2, which includes a ssl.match_hostname function.

Marking as embargoed for the time being, though that's possibly a bit silly, so feel free to change if you don't feel it merits an embargo.

(Note that it's also not possible to get pip to download over SSL from pypi - although pypi serves over SSL, its links to the actual code download are over plaintext HTTP. I ran into this while working on Stripe's code hosting site at https://code.stripe.com, which we had previously believed gave us a mechanism to securely distribute our code)

CVE References

Evan Broder (broder) wrote :
Marc Deslauriers (mdeslaur) wrote :
Changed in python-pip (Ubuntu):
status: New → Incomplete
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
tags: added: patch
Launchpad Janitor (janitor) wrote :

[Expired for python-pip (Ubuntu) because there has been no activity for 60 days.]

Changed in python-pip (Ubuntu):
status: Incomplete → Expired
Changed in python-pip (Ubuntu):
status: Expired → Confirmed
Donald Stufft (dstufft) wrote :

Hello there,

I've never particularly engaged the Linux Distro, much less the Ubuntu, packaging process so forgive me if I'm doing this wrong.

I'm a pip maintainer and I would like to get this fixed in Ubuntu. I see that saucy has pip 1.4.1, raring has 1.3.1, quantal has 1.1, precise has 1.0, and lucid has 0.3.1. This means that the fix is already in place for saucy and raring but that using pip in quantal, precise, and lucid essentially allows someone in the position to MITM traffic to execute arbitrary Python code (ref CVE-2013-1629).

So I'm not sure what the options are for fixing this, easiest from my point of view is to upgrade any version of pip pre 1.3 to at least pip 1.3 so that it gets TLS verification and folks are safer when using pip. Is this an option?

Barry Warsaw (barry) wrote :

You could use backports: https://help.ubuntu.com/community/UbuntuBackports but I'm not sure that will reach the widest possible audience. It may be worth doing in addition to security-only fixes, but it's a lot of effort to ensure that the package will build, install, and work on older releases. It may be easy or hard depending on pip's dependency stack.

Ideally, a security-only patch would be provided for the security pockets of these releases: https://wiki.ubuntu.com/SecurityTeam/FAQ

I don't have the cycles to create the patches, but I could review and test them.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-pip (Ubuntu Lucid):
status: New → Confirmed
Changed in python-pip (Ubuntu Precise):
status: New → Confirmed
Changed in python-pip (Ubuntu Quantal):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers