oss-sec mailing list archives

CVE Request: MD5 used for Download verification

From: Donald Stufft <donald () stufft io>
Date: Mon, 11 Mar 2013 15:32:52 -0400

I'd like to request CVE(s?) for the Python software: setuptools[1] and distribute[2]

Setuptools (and it's fork distribute) utilize MD5 in order to verify that a download has not been tampered with. 

As far as I know this affects all versions of both setuptools and distribute. 

It also affects zc.buildout[3] which utilizes the md5 checking from distribute. It does not affect pip[4] as pip has 
grown it's own handling code outside of setuptools/distribute to allow stronger hashes.

[1] https://pypi.python.org/pypi/setuptools/0.6c11
[2] https://pypi.python.org/pypi/distribute/0.6.35
[3] https://pypi.python.org/pypi/zc.buildout/2.0.1
[4] https://pypi.python.org/pypi/pip/1.3.1

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

CVE Request: MD5 used for Download verification Donald Stufft (Mar 11)
- Re: CVE Request: MD5 used for Download verification Jeremy Stanley (Mar 11)