[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVEs for malicious software in PYPI
- To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: CVEs for malicious software in PYPI
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Wed, 20 Sep 2017 10:55:09 -0400
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;
- Delivery-date: Wed Sep 20 11:59:44 2017
- In-reply-to: <CABqVa3-Kb9V0iF1Cr2PQnxwMLy2GfYUyzaD1oa-EJ0mga9Wgcg@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-Kb9V0iF1Cr2PQnxwMLy2GfYUyzaD1oa-EJ0mga9Wgcg@mail.gmail.com>
- Reply-to: <pmeunier@cerias.purdue.edu>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
1) Identifying vulnerabilities in malicious code would be in the scope of the CVE but it has doubtful utility. Identifying malicious code is out of scope 2) Typo squatting whether in domain names or package names is not a software vulnerability, it's a namespace management issue and an attackvector, out of scope of the CVE. Pascal On Fri, 2017-09-15 at 18:53 -0600, Kurt Seifried wrote: > http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html > > TL;DR: Someone may PYPI packages that were malicious, and typo/close > names > of legit things (e.g. acquisition / acqusition). I'd like to assign > CVEs to > them so they are identified, so two thoughts: > > 1) people uploaded code (meant to be malicious or not) to PYPI that > has > flaws, so CVE right > 2) the typo squatting aspect, should this get a CVE? There is obvious > intent of shenanigans, but... how do we count it? >
- Follow-Ups:
- Re: CVEs for malicious software in PYPI
- From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- Re: CVEs for malicious software in PYPI
- References:
- CVEs for malicious software in PYPI
- From: Kurt Seifried <kurt@seifried.org>
- CVEs for malicious software in PYPI
- Prev by Date: Agenda for CVE Board Meeting September 20
- Next by Date: Re: CVEs for malicious software in PYPI
- Previous by thread: Re: CVEs for malicious software in PYPI
- Next by thread: Re: CVEs for malicious software in PYPI
- Index(es):
