ez_setup.py download and extraction flooding vulnerability
ez_setup.download_setuptools() doesn't limit the amount of data that is downloaded with urllib. An attacker can forge a HTTP response with a large or even infinite file (e.g. netcat < /dev/zero). This can consume lots of memory or occupy lots of disk space on /tmp. src.read() should be limited to a sane value (e.g. 2-5 MB) and raise an error if more data is downloaded.
ez_setup._extractall() should be limited, too. It's open to zip decompression bomb vulnerability.