It was discovered that pip did not properly sanitize the filename during
pip install. A remote attacker could possible use this issue to read and
write arbitrary files on the host filesystem as root, resulting in a
directory traversal attack. (CVE-2019-20916)