[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: CVEs for malicious software in PYPI
+1
--
Kent Landfield
+1.817.637.8026
kent_landfield@mcafee.com
On 9/20/17, 9:57 AM, "owner-cve-editorial-board-list@lists.mitre.org on
behalf of Pascal Meunier"
<owner-cve-editorial-board-list@lists.mitre.org on behalf of
pmeunier@cerias.purdue.edu> wrote:
1) Identifying vulnerabilities in malicious code would be in the
scope
of the CVE but it has doubtful utility. Identifying malicious code
is
out of scope
2) Typo squatting whether in domain names or package names is not a
software vulnerability, it's a namespace management issue and an
attackvector, out of scope of the CVE.
Pascal
On Fri, 2017-09-15 at 18:53 -0600, Kurt Seifried wrote:
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
>
> TL;DR: Someone may PYPI packages that were malicious, and
typo/close
> names
> of legit things (e.g. acquisition / acqusition). I'd like to
assign
> CVEs to
> them so they are identified, so two thoughts:
>
> 1) people uploaded code (meant to be malicious or not) to PYPI
that
> has
> flaws, so CVE right
> 2) the typo squatting aspect, should this get a CVE? There is
obvious
> intent of shenanigans, but... how do we count it?
>