[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: assignments for malware
- To: Art Manion <amanion@cert.org>
- Subject: Re: assignments for malware
- From: Kurt Seifried <kurt@seifried.org>
- Date: Mon, 13 Aug 2018 15:27:35 -0600
- Authentication-results: spf=softfail (sender IP is 192.52.194.235) smtp.mailfrom=seifried.org; imc.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@mitre.org>
- Delivery-date: Tue Aug 14 07:38:57 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=id9ywv2o+naqGds+InA0qG7ZToRqxf8QmzV/UilDsk4=; b=KTnDu29mwabucOI+2GY1CLKnGNHhjWAay95T4f5ZYnYO9RJlYMtqUnGnSjMhA8n+xi LF0zKwKqAy/YpBcR0awzkk2uttH76VfypPw2dTp/OGv4bFORPgz2cTUE3WmcQ67Djty0 M4bEdPrauJgdxBWWSO/QJ6PjrB8iDnHqmvqUqowcJDCPnF+bvi2mhmoPAacYUInWKIUr A2SCKBs8LepTWKjNTLzfK4/rsy7pCv2sJaiAak4Byj4oK2aKeocf+TKlsPSD+en42NSc 6fTWLGQTpef3POIQbZOxrod4clIT9OI0rpJtxcQriibrEBDoeuyfo5jtPoOIF8KxNPK1 b7Tg==
- In-reply-to: <d6370fc3-3645-6cd7-c4d1-072aeb28918f@cert.org>
- References: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org> <d6370fc3-3645-6cd7-c4d1-072aeb28918f@cert.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
The NPM problems aren’t new, CPAN had (and still has) many of the same problems. -Kurt > On Aug 13, 2018, at 15:19, Art Manion <amanion@cert.org> wrote: > >> On 8/13/18 12:55 PM, jericho wrote: >> >> The second type is just a malicious module that has nothing to do >> with the legitimate module, other than a similar name as the means >> for getting people to download it. An example of that is >> CVE-2017-16044: >> `d3.js` was a malicious module published with the intent to >> hijack >> environment variables. It has been unpublished by npm. > > This seems out of scope for CVE. I get that npm-style software > distribution is a "new" and real thing, and without having recently > looked at it in detail, my impression is that npm and it's ecosystem > isn't terribly secure, which is an intentional choice: > > > https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability > > In ancient box product terms, the analog is "I downloaded and linked > lib-png.so because I wanted to include PNG support in my > application." Not a technical vulnerability, I accidentally > installed malware. > > Yes, these matter, and I'm in favor of telling the public about > malicious npm-managed code, but that might not be CVE's job. > > I don't see much of a difference with CVE-2018-3779. Intentionally > malicious code masquerading as legitimate, gains authority and > reputation by being allowed on npm in the first place, depends on > community to find and remove. > > In terms of being vulnerabilities (and in scope for CVE), I'd say no, > not in scope. I wouldn't suggest removing any existing assignments, > but either stop or make a decision to include such things in CVE's > scope? > > Trying out the other side: There is a (popular but insecure) software > development ecosystem, within that system, flagging malicious > components is treated like a vulnerability/CVE assignment? Still > doesn't really work for me. > > - Art >
- References:
- assignments for malware
- From: jericho <jericho@attrition.org>
- Re: assignments for malware
- From: Art Manion <amanion@cert.org>
- assignments for malware
- Prev by Date: Re: assignments for malware
- Next by Date: Re: assignments for malware
- Previous by thread: Re: assignments for malware
- Next by thread: Speaking of CVE for services
- Index(es):
