[Bug 1189042] [NEW] Shipped distutils enforces insecure uploads to PyPI

anatoly techtonik techtonik at php.net
Sat Jun 8 21:34:28 UTC 2013 

*** This bug is a security vulnerability ***

Public security bug reported:

`distutils` module which comes with Python distribution provides way for people to upload their Python packages to PyPI catalog. The URL shipped with distutils uses insecure  HTTP access method, which allows harvesting PyPI passwords through sniffing
over insecure networks (such as public WiFi spots) to be used for malicious uploads.

Changing URL to HTTPS scheme will enable encryption and will protect
PyPI from passive attacks. Checking HTTPS certificates to protect from
active MITM attack is not the scope of this issue.

The CVE number for this issue is assigned, but not disclosed -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1754 And it is
open way for too long - http://bugs.python.org/issue12226 - the fix for
the issue is available, patch is working and should be applied in
Ubuntu.

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: python 2.7.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
Uname: Linux 3.8.0-23-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.9.2-0ubuntu8.1
Architecture: i386
Date: Sun Jun  9 00:18:41 2013
InstallationDate: Installed on 2012-03-12 (453 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta i386 (20120301)
MarkForUpload: True
SourcePackage: python-defaults
UpgradeStatus: Upgraded to raring on 2013-04-20 (49 days ago)

** Affects: python-defaults (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 raring

** Information type changed from Private Security to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1754

** Summary changed:

- Shipped distutils enforce Insecure uploads to PyPI
+ Shipped distutils enforces insecure uploads to PyPI

** Description changed:

- `distutils` module which comes with Python distribution provides way for
- people to upload their Python packages to PyPI catalog. The URL shipped
- with distutils uses insecure  HTTP access method, which opens PyPI
- passwords  to sniffing PyPI passwords use to upload packages. Such
- passwords can be collected over insecure networks (such as public WiFi
- spots) to be used for malicious uploads.
+ `distutils` module which comes with Python distribution provides way for people to upload their Python packages to PyPI catalog. The URL shipped with distutils uses insecure  HTTP access method, which allows harvesting PyPI passwords through sniffing
+ over insecure networks (such as public WiFi spots) to be used for malicious uploads.
  
  Changing URL to HTTPS scheme will enable encryption and will protect
  PyPI from passive attacks. Checking HTTPS certificates to protect from
  active MITM attack is not the scope of this issue.
  
  The CVE number for this issue is assigned, but not disclosed -
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1754 And it is
  open way for too long - http://bugs.python.org/issue12226 - the fix for
  the issue is available, patch is working and should be applied in
  Ubuntu.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: python 2.7.4-0ubuntu1
  ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
  Uname: Linux 3.8.0-23-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.9.2-0ubuntu8.1
  Architecture: i386
  Date: Sun Jun  9 00:18:41 2013
  InstallationDate: Installed on 2012-03-12 (453 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta i386 (20120301)
  MarkForUpload: True
  SourcePackage: python-defaults
  UpgradeStatus: Upgraded to raring on 2013-04-20 (49 days ago)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1189042

Title:
  Shipped distutils enforces insecure uploads to PyPI

Status in “python-defaults” package in Ubuntu:
  New

Bug description:
  `distutils` module which comes with Python distribution provides way for people to upload their Python packages to PyPI catalog. The URL shipped with distutils uses insecure  HTTP access method, which allows harvesting PyPI passwords through sniffing
  over insecure networks (such as public WiFi spots) to be used for malicious uploads.

  Changing URL to HTTPS scheme will enable encryption and will protect
  PyPI from passive attacks. Checking HTTPS certificates to protect from
  active MITM attack is not the scope of this issue.

  The CVE number for this issue is assigned, but not disclosed -
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1754 And it is
  open way for too long - http://bugs.python.org/issue12226 - the fix
  for the issue is available, patch is working and should be applied in
  Ubuntu.

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: python 2.7.4-0ubuntu1
  ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
  Uname: Linux 3.8.0-23-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.9.2-0ubuntu8.1
  Architecture: i386
  Date: Sun Jun  9 00:18:41 2013
  InstallationDate: Installed on 2012-03-12 (453 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta i386 (20120301)
  MarkForUpload: True
  SourcePackage: python-defaults
  UpgradeStatus: Upgraded to raring on 2013-04-20 (49 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1189042/+subscriptions

More information about the foundations-bugs mailing list