Hi, FYI I just sent a public advisory for the PyPI typo squatting issue to the new security-announce list:
[Security-announce] Typo squatting and malicious packages on PyPI https://mail.python.org/pipermail/security-announce/2017-September/000000.html Please subscribe to this newly created mailing list to stay tuned! https://mail.python.org/mailman/listinfo/security-announce Victor 2017-09-15 22:28 GMT+02:00 Victor Stinner <victor.stin...@gmail.com>: > Hi, > > Last week, the National Security Authority of Slovakia contacted the > Python Security Response Team (PSRT) to report that the Python Package > Index (PyPI) was hosting malicious packages. Installing these packages > send user data to a HTTP server, but also install the expected module > so it was an easy to notice the attack. > > Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ > > Kudos to them to report the issue! > > > It's not a compromise of the PyPI server nor a third-party project, > but the "typo squatting" issue which is known since at least June 2016 > (for PyPI). The issue is not specific to Python, npmjs.com or > rubygems.org are vulnerable to the same issue. > > For example, a malicious package used the names "urllib" (no 3) and > "urlib3" (1 L) instead of "urllib3" (2 L). These packages were > downloaded by users, so the attack was effective. > > More information on typo squatting and Python package security: > https://python-security.readthedocs.io/packages.html#pypi-typo-squatting > > The PRST contacted PyPI administrators and all identified packages > were taken down, only 1h10 after the PSRT received the email from the > National Security Authority of Slovakia! > > > The typo squatting issue is known and discussed, but not solution was > found yet. See for example this warehouse issue: > https://github.com/pypa/warehouse/issues/2151 > > It seems like the consensus is that pip is not responsible to detect > malicious code, it's more the responsability of PyPI. > > The problem is to decide how to detect malicious code and/or prevent > typo squatting on PyPI. > > > The issue has been discussed privately on the PSRT list last week. The > National Security Authority of Slovakia just published their advisory, > and a public discussion started on reddit: > https://news.ycombinator.com/item?id=15256121 > > I consider that it's now time to find a solution on the public > python-dev mailing list. > > > Let's try to find a solution! > > Can we learn something from the Update Framework (TUF)? > > How does Javascript, Ruby, Perl and other programming languages deal > with these security issues on their package manager? > > > See also my other notes on Python security and the list of known > CPython vulnerabilities: > https://python-security.readthedocs.io/ > > Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
