Pipenv check thinks pip is ancient, fails citing CVE-2013-5123
See original GitHub issueI’ve searched through existing issues, and tried to find clues in the source (which I’ve never cracked open before). Neither turned up anything for me, so here’s an issue!
Issue description
pipenv check fails when checking pip version. It warns about an issue in version of pip older than 1.5. I’ve seen this on a macOS machine and a circleci docker image running pip 19.3.1 and 20.0.3 respectively.
I’m using Python 3.6, and managing python versions with pyenv.
Expected result
Since the installed version of pip is greater than 1.5, I would expect this check to pass instead of fail.
Actual result
Checking installed package safety…
37752: pip resolved (19.3.1 installed)!
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.
Steps to replicate
Here’s a handy little script to reproduce.
mkdir pipenv_check
cd pipenv_check
pipenv --python 3.6
pipenv check
$ pipenv --support
Pipenv version: '2018.11.26'
Pipenv location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/lib/python3.7/site-packages/pipenv'
Python location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/bin/python3.7'
Python installations found:
3.7.5
:/usr/local/bin/python3
3.7.5
:/usr/local/bin/python3.7m
3.7.4
:/Users/jules/.pyenv/versions/3.7.4/bin/python3
3.7.4
:/Users/jules/.pyenv/versions/3.7.4/bin/python3.7m
3.6.6
:/Users/jules/.pyenv/versions/645_a2/bin/python3
3.6.6
:/Users/jules/.pyenv/versions/3.6.6/bin/python3.6m
2.7.16
:/usr/bin/python
2.7.16
:/usr/bin/pythonw
2.7.16
:/usr/bin/python2.7
2.7.8
:/Users/jules/.pyenv/versions/2.7.8/bin/python
2.6.6
:/Users/jules/.pyenv/versions/test/bin/python
2.6.6
:/Users/jules/.pyenv/versions/hadoop/bin/python
2.6.6
:/Users/jules/.pyenv/versions/2.6.6/bin/python
2.6.6
:/Users/jules/.pyenv/versions/2.6.6/bin/python2.6
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.7.5',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '17.7.0',
'platform_system': 'Darwin',
'platform_version': 'Darwin Kernel Version 17.7.0: Thu Jan 23 07:05:23 PST '
'2020; root:xnu-4570.71.69~1/RELEASE_X86_64',
'python_full_version': '3.7.5',
'python_version': '3.7',
'sys_platform': 'darwin'}
System environment variables:
PATH
__GIT_PROMPT_IGNORE_STASH
TERM_PROGRAM
PYENV_ROOT
ANDROID_HOME
TERM
SHELL
TMPDIR
Apple_PubSub_Socket_Render
TERM_PROGRAM_VERSION
TERM_SESSION_ID
__GIT_PROMPT_SHOW_UPSTREAM
USER
__GIT_PROMPT_SHOW_UNTRACKED_FILES
SSH_AUTH_SOCK
PYENV_VIRTUALENV_INIT
_
PWD
LANG
XPC_FLAGS
XPC_SERVICE_NAME
HOME
SHLVL
PYENV_SHELL
GIT_BRANCH
__GIT_PROMPT_SHOW_CHANGED_FILES_COUNT
__GIT_PROMPT_IGNORE_SUBMODULES
LOGNAME
__CF_USER_TEXT_ENCODING
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
Debug–specific environment variables:
PATH
:/usr/local/Cellar/pipenv/2018.11.26_2/libexec/tools:/Users/jules/Library/Python/2.7/bin:/usr/local/Cellar/pyenv-virtualenv/1.1.3/shims:/Users/jules/.pyenv/shims:/Users/jules/.pyenv/bin:/usr/local/opt/gettext/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin:/Applications/Wireshark.app/Contents/MacOS:/Users/jules/Library/Android/sdk/tools:/Users/jules/Library/Android/sdk/platform-tools:/Applications/microchip/xc8/v2.05/bin:/Applications/microchip/xc8/v2.05/bin
SHELL
:/bin/bash
LANG
:en_CA.UTF-8
PWD
:/Users/jules/pipenv_check
Contents of Pipfile
(‘/Users/jules/pipenv_check/Pipfile’):
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
[packages]
[requires]
python_version = "3.6"
Issue Analytics
- State:
- Created 4 years ago
- Reactions:68
- Comments:8
Top GitHub Comments
@d-me-tree, @belthaZornv, @isabelrios @AlexSunins-ECS and anybody else with the similar thoughts in mind, please don’t do this ever again, anywhere. If you’re affected by the issue, hit 👍 under the first comment please. Be considerate of your fellow readers/subscribers and don’t spam the thread and their inboxes with meaningless messages. Thanks.
The fix in pyupio/safety-db#2286 should be enough to resolve this issue. I verified
pipenv check
is no longer complaining on my projects. Closing this issue. Thanks @thehesiod for your help!