CVE-2014-8991

Publication date 24 November 2014

Last updated 24 July 2024


Ubuntu priority

pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-pip 18.04 LTS bionic
Not affected
17.10 artful
Not affected
17.04 zesty Ignored end of life
16.10 yakkety Ignored end of life
16.04 LTS xenial
Not affected
15.10 wily Ignored end of life
15.04 vivid Ignored end of life
14.10 utopic Ignored end of life
14.04 LTS trusty Ignored end of ESM support, was ignored [see note above]
12.04 LTS precise Ignored end of life
10.04 LTS lucid Ignored end of life

Notes


msalvatore

The patch from upstream does not resolve the CVE. Backporting this the actual fix for trusty requires invasive changes that will change the command line interface. The issues is first fixed in version 7.0.0 and the changelog mentions it is backwards incompatible.