|
|
On 2017-09-15 20:53, Kurt Seifried wrote:
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
>
> TL;DR: Someone may PYPI packages that were malicious, and typo/close
> names of legit things (e.g. acquisition / acqusition). I'd like to
> assign CVEs to them so they are identified, so two thoughts:
>
> 1) people uploaded code (meant to be malicious or not) to PYPI that
> has flaws, so CVE right
> 2) the typo squatting aspect, should this get a CVE? There is obvious
> intent of shenanigans, but... how do we count it?
While something that needs to be identified/alerted about, I don't think CVE is the right identifier.
There's lots of intentionally created malicious software, the ability to create such software is not a vulnerability, we don't assign CVE IDs to malware...
Anyone can typo-squat, again, the act of or ability to do so is not a vulnerability, how many potential typo-squats are there in the world?
PYPI (and all software) needs signatures to deal with authenticity. I could be convinced that the lack of such infrastructure in PYPI gets a CVE ID.
- Art