Pipenv: Pipenv check thinks pip is ancient, fails citing CVE-2013-5123
I've searched through existing issues, and tried to find clues in the source (which I've never cracked open before). Neither turned up anything for me, so here's an issue!
Issue description
pipenv check fails when checking pip version. It warns about an issue in version of pip older than 1.5. I've seen this on a macOS machine and a circleci docker image running pip 19.3.1 and 20.0.3 respectively.
I'm using Python 3.6, and managing python versions with pyenv.
Expected result
Since the installed version of pip is greater than 1.5, I would expect this check to pass instead of fail.
Actual result
Checking installed package safety…
37752: pip resolved (19.3.1 installed)!
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.
Steps to replicate
Here's a handy little script to reproduce.
mkdir pipenv_check
cd pipenv_check
pipenv --python 3.6
pipenv check
$ pipenv --support
Pipenv version: '2018.11.26'
Pipenv location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/lib/python3.7/site-packages/pipenv'
Python location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/bin/python3.7'
Python installations found:
3.7.5:/usr/local/bin/python33.7.5:/usr/local/bin/python3.7m3.7.4:/Users/jules/.pyenv/versions/3.7.4/bin/python33.7.4:/Users/jules/.pyenv/versions/3.7.4/bin/python3.7m3.6.6:/Users/jules/.pyenv/versions/645_a2/bin/python33.6.6:/Users/jules/.pyenv/versions/3.6.6/bin/python3.6m2.7.16:/usr/bin/python2.7.16:/usr/bin/pythonw2.7.16:/usr/bin/python2.72.7.8:/Users/jules/.pyenv/versions/2.7.8/bin/python2.6.6:/Users/jules/.pyenv/versions/test/bin/python2.6.6:/Users/jules/.pyenv/versions/hadoop/bin/python2.6.6:/Users/jules/.pyenv/versions/2.6.6/bin/python2.6.6:/Users/jules/.pyenv/versions/2.6.6/bin/python2.6
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.7.5',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '17.7.0',
'platform_system': 'Darwin',
'platform_version': 'Darwin Kernel Version 17.7.0: Thu Jan 23 07:05:23 PST '
'2020; root:xnu-4570.71.69~1/RELEASE_X86_64',
'python_full_version': '3.7.5',
'python_version': '3.7',
'sys_platform': 'darwin'}
System environment variables:
PATH__GIT_PROMPT_IGNORE_STASHTERM_PROGRAMPYENV_ROOTANDROID_HOMETERMSHELLTMPDIRApple_PubSub_Socket_RenderTERM_PROGRAM_VERSIONTERM_SESSION_ID__GIT_PROMPT_SHOW_UPSTREAMUSER__GIT_PROMPT_SHOW_UNTRACKED_FILESSSH_AUTH_SOCKPYENV_VIRTUALENV_INIT_PWDLANGXPC_FLAGSXPC_SERVICE_NAMEHOMESHLVLPYENV_SHELLGIT_BRANCH__GIT_PROMPT_SHOW_CHANGED_FILES_COUNT__GIT_PROMPT_IGNORE_SUBMODULESLOGNAME__CF_USER_TEXT_ENCODINGPIP_DISABLE_PIP_VERSION_CHECKPYTHONDONTWRITEBYTECODEPIP_SHIMS_BASE_MODULEPIP_PYTHON_PATHPYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
Debug–specific environment variables:
PATH:/usr/local/Cellar/pipenv/2018.11.26_2/libexec/tools:/Users/jules/Library/Python/2.7/bin:/usr/local/Cellar/pyenv-virtualenv/1.1.3/shims:/Users/jules/.pyenv/shims:/Users/jules/.pyenv/bin:/usr/local/opt/gettext/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin:/Applications/Wireshark.app/Contents/MacOS:/Users/jules/Library/Android/sdk/tools:/Users/jules/Library/Android/sdk/platform-tools:/Applications/microchip/xc8/v2.05/bin:/Applications/microchip/xc8/v2.05/binSHELL:/bin/bashLANG:en_CA.UTF-8PWD:/Users/jules/pipenv_check
Contents of Pipfile ('/Users/jules/pipenv_check/Pipfile'):
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
[packages]
[requires]
python_version = "3.6"
780Farva
All 8 comments
Seems like the pyup.io database is messed up:
curl -s -H "X-Api-Key: 1ab8d58f-5122e025-83674263-bc1e79e0" https://pyup.io/api/v1/safety/in
secure.json | jq .pip
[
"<1.4",
"<6.0",
"<6.1.0",
"<1.3",
"<1.3",
"",
"<1.5"
]
The "" matches every version, thus the fail.
adongy
on 9 Mar 2020
@d-me-tree, @belthaZornv, @isabelrios @AlexSunins-ECS and anybody else with the similar thoughts in mind, please don't do this ever again, anywhere. If you're affected by the issue, hit :+1: under the first comment please. Be considerate of your fellow readers/subscribers and don't spam the thread and their inboxes with meaningless messages. Thanks.
lubo
on 9 Mar 2020
As noted in the commit above, workaround for now is
pipenv check --ignore 37752
markliederbach
on 9 Mar 2020
+5
MoneaVlad
on 9 Mar 2020
@d-me-tree, @belthaZornv, @isabelrios @AlexSunins-ECS and anybody else with the similar thoughts in mind, please don't do this ever again, anywhere. If you're affected by the issue, hit +1 under the first comment please. Be considerate of your fellow readers/subscribers and don't spam the thread and their inboxes with meaningless messages. Thanks.
Also guys, do you mind to delete the comments to avoid this happening again?
decko
on 9 Mar 2020
I logged this yesterday: https://github.com/pyupio/safety-db/issues/2286
thehesiod
on 9 Mar 2020
looks like they never fixed it
thehesiod
on 9 Mar 2020
The fix in pyupio/safety-db#2286 should be enough to resolve this issue. I verified pipenv check is no longer complaining on my projects. Closing this issue. Thanks @thehesiod for your help!
780Farva
on 11 Mar 2020
Related issues
hynek
·
3Comments
fbender
·
3Comments
konstin
·
3Comments
marc-fez
·
3Comments
ansrivas
·
3Comments
Most helpful comment
@d-me-tree, @belthaZornv, @isabelrios @AlexSunins-ECS and anybody else with the similar thoughts in mind, please don't do this ever again, anywhere. If you're affected by the issue, hit :+1: under the first comment please. Be considerate of your fellow readers/subscribers and don't spam the thread and their inboxes with meaningless messages. Thanks.