Launchpad.net

CVE 2013-1888

pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.

See the CVE page on Mitre.org for more details.