[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for malicious software in PYPI

On 2017-09-15 20:53, Kurt Seifried wrote:
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
> TL;DR: Someone may PYPI packages that were malicious, and typo/close
> names of legit things (e.g. acquisition / acqusition). I'd like to
> assign CVEs to them so they are identified, so two thoughts:
> 1) people uploaded code (meant to be malicious or not) to PYPI that
> has flaws, so CVE right

> 2) the typo squatting aspect, should this get a CVE? There is obvious
> intent of shenanigans, but... how do we count it?
While something that needs to be identified/alerted about, I don't 
think CVE is the right identifier.

There's lots of intentionally created malicious software, the ability 
to create such software is not a vulnerability, we don't assign CVE IDs 
to malware...

Anyone can typo-squat, again, the act of or ability to do so is not a 
vulnerability, how many potential typo-squats are there in the world?

PYPI (and all software) needs signatures to deal with authenticity.  I 
could be convinced that the lack of such infrastructure in PYPI gets a 

 - Art

Page Last Updated or Reviewed: September 18, 2017