Update bundled pip to address CVE-2023-5752 in cpython 3.9 & 3.10

[briensea]

Update bundled pip to address CVE-2023-5752 in cpython 3.9 & 3.10

Description:

A security vulnerability, CVE-2023-5752, has been identified in older versions of pip. The versions of pip bundled with CPython 3.9 and 3.10 are affected.

This results in users being required to manually update pip to mitigate the security vulnerability.

CPython versions affected:

• 3.9 (bundled pip version outdated)
• 3.10 (bundled pip version outdated)

Operating systems tested on:

• Linux

Linked PRs

• gh-131860: Update bundled pip version to 24.0. #131861
• gh-131860: Update bundled pip version to 24.0 #131863

[picnixz]

@sethmlarson @gpshead The CVE has a moderate severity and only affects users using pip install hg+ urls. Is this something we want to update?

Note that we can still update pip just after downloading it

[AA-Turner]

@briensea thank you for opening the issue. As these are binaries distributed with Python, we generally have a trusted individual (e.g. a pip maintainer) make the pull request.

A

[briensea]

Thanks, @AA-Turner. Is there a timeline for when this might be addressed? I understand that users can update pip after downloading, but for environments where the binaries are redistributed, relying on manual updates isn’t always ideal. Avoiding custom patches would be preferable, so I’m curious if there are plans to update the bundled version directly.

[picnixz]

3.9 and 3.10 are sources only and thus are usually expected to be used either by downstream distributions, and they could apply their own patches, or by more experienced users that would compile Python from sources.

When I said that we can update pip, this is what pip suggests namely "a new pip version is available, install it using pip install -U pip", so it's also the usual way of upgrading that package.

Now, the CVE has a moderate severity, and it's only affecting mercurial installations. I don't know hwo much it's used but I don't think we necessarily need to publish a new source-only release for 3.9 and 3.10, hence why I asked Seth whether this should be treated as a security issue to patch.

[zware]

See also gh-112516, gh-119778, gh-102202, etc. I would not expect updates to the bundled wheels in security branches unless there is a vulnerability identified that prevents safely using the bundled pip to update itself, and maybe not even then. In general, we assume that if a user is security-conscious enough to build and use a Python security-only release, they're also security-conscious enough to handle updating (or otherwise avoiding security issues from) ensurepip wheels.

I wonder if we should avoid this class of issues by removing ensurepip wheels from security releases entirely, and requiring that WHEEL_PKG_DIR be specified in order to use ensurepip from such a release.

[pradyunsg]

As these are binaries distributed with Python, we generally have a trusted individual (e.g. a pip maintainer) make the pull request.

FWIW, this is no longer necessary.

https://github.com/python/cpython/blob/main/.github/workflows/verify-ensurepip-wheels.yml ensures that the binaries provided have the appropriate checksums.