Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Community Lounge > Wibble
FedoraForum Search

Forgot Password? Join Us!

Wibble A place to have a sensible chat, about anything non linux related. Please remember that political and religious topics are not permitted.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 15th September 2017, 11:21 PM
nonamedotc's Avatar
nonamedotc Offline
Mithrandir
 
Join Date: Mar 2011
Location: /
Posts: 5,029
linuxchrome
Malicious software libraries found in PyPI posing as well known libraries

Source - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Partial quote -
Quote:
== Summary ==

SK-CSIRT identified malicious software libraries in the official Python package
repository, PyPI, posing as well known libraries. A prominent example is a fake
package urllib-1.21.1.tar.gz, based upon a well known package
urllib3-1.21.1.tar.gz.

Such packages may have been downloaded by unwitting developer or administrator
by various means, including the popular “pip” utility (pip install urllib).
There is evidence that the fake packages have indeed been downloaded and
incorporated into software multiple times between June 2017 and September 2017.

Ycombinator discussion - https://news.ycombinator.com/item?id=15256121
__________________
Fedora 27 x86_64 XFCE - Sager | Intel Core i7 - 4810 MQ | NVIDIA GeForce GTX 860M | 16 GB RAM | 480 GB ADATA SSD |
Fedora 27 x86_64 XFCE - Dell Precision M4800 | Intel Core i7 - 4900 MQ | NVIDIA Quadro K1100M | 16 GB RAM | 750 GB 7200 RPM HDD |


The Linux Documentation Project | Fedora Documentation
Reply With Quote
  #2  
Old 16th September 2017, 03:42 AM
ocratato Offline
Registered User
 
Join Date: Oct 2010
Location: Canberra
Posts: 2,650
linuxfirefox
Re: Malicious software libraries found in PyPI posing as well known libraries

I think the most troubling aspect of this was that the malware is installed by the installation script - something that will often be run with admin privileges and would rarely be reviewed.

It would also work with software that was installed with "make install" where the malware could be installed by a line in the install target.
__________________
Has anyone seriously considered that it might be turtles all the way down?
That's very old fashioned thinking.
The current model is that it's holographic nested virtualities of turtles, all the way down.
Reply With Quote
  #3  
Old 16th September 2017, 12:48 PM
srakitnican Offline
Registered User
 
Join Date: Oct 2011
Posts: 1,581
linuxchrome
Re: Malicious software libraries found in PyPI posing as well known libraries

I don't see how would an installation script make a typo in python package name. I see this as kind of phishing attempt in PyPI way. If you just blindly installing libraries from any source without checking if it is original source, then I would say you are being reckless. Like everywhere else, there exists trusted users as well as some less trusted ones.
Reply With Quote
  #4  
Old 16th September 2017, 01:05 PM
ocratato Offline
Registered User
 
Join Date: Oct 2010
Location: Canberra
Posts: 2,650
linuxfirefox
Re: Malicious software libraries found in PyPI posing as well known libraries

Quote:
Originally Posted by srakitnican View Post
I don't see how would an installation script make a typo in python package name. I see this as kind of phishing attempt in PyPI way. If you just blindly installing libraries from any source without checking if it is original source, then I would say you are being reckless. Like everywhere else, there exists trusted users as well as some less trusted ones.
I don't think its a typo in the installation script, but its when the user makes a typo in the package name, such as urlib rather than urllib. The installation script in this alternative is what carries the malware -the library itself is just a copy of the real thing so there is nothing to flag that you might have downloaded the wrong package.

Part of the problem is that the Python repo is getting about 100 new packages per day, which makes it impossible to curate without relying on a lot of automation.
__________________
Has anyone seriously considered that it might be turtles all the way down?
That's very old fashioned thinking.
The current model is that it's holographic nested virtualities of turtles, all the way down.
Reply With Quote
Reply

Tags
pypi , python

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Boost libraries not found Alex Farber Using Fedora 2 24th May 2010 06:50 AM
Shared libraries not found andrea.delbravo Using Fedora 4 1st February 2010 01:05 PM
FC6: Libraries not found hariseldon Using Fedora 2 22nd January 2007 02:50 PM
Some libraries not found eyp Using Fedora 3 1st October 2006 02:36 PM
chm libraries are not found by pychm sveln Using Fedora 5 2nd June 2005 07:43 PM


Current GMT-time: 19:33 (Saturday, 21-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat