Re: [Sugar-devel] Malicious code in dateutil
I agree with Martin. This security event is of no consequence to us, because we use the libraries included in Python. It reminds us too that we should avoid adding dependencies on untrusted source code, and especially be wary of adding any use of pypi. On Thu, Jan 23, 2020 at 07:54:07PM -0300, Martin Abente wrote: > "The first is "python3-dateutil," which imitated the popular "dateutil" > library. The second is "jeIlyfish" (the first L is an I), which mimicked the > "jellyfish" library." > > If you read that carefully, it says these 2 libraries imitated the real > libraries. It does not say that the original libraries were compromised. > > On Thu, Jan 23, 2020 at 7:50 PM Chihurumnaya Ibiam <[1] > ibiamchihurumn...@gmail.com> wrote: > > Dateutil has been found to contain malicious code, a github search shows > 10+ uses of dateutil in Sugar Labs repos. > > You can read more about it here > [2]https://www.zdnet.com/article/ > two-malicious-python-libraries-removed-from-pypi/ > ___ > Sugar-devel mailing list > [3]Sugar-devel@lists.sugarlabs.org > [4]http://lists.sugarlabs.org/listinfo/sugar-devel > > References: > > [1] mailto:ibiamchihurumn...@gmail.com > [2] > https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ > [3] mailto:Sugar-devel@lists.sugarlabs.org > [4] http://lists.sugarlabs.org/listinfo/sugar-devel > ___ > Sugar-devel mailing list > Sugar-devel@lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/sugar-devel -- James Cameron http://quozl.netrek.org/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Malicious code in dateutil
It’s worth noting this is specifically the typo-squatting “python3-dateutil” package, and not the very legitimate “dateutil” package. The former only lasted on PyPi for about 2 days, so it would be a surprise if it was somehow integrated into SL code within that timeframe. From: Sugar-devel On Behalf Of Chihurumnaya Ibiam Sent: 23 January 2020 22:50 To: Sugar-dev Devel Subject: [Sugar-devel] Malicious code in dateutil Dateutil has been found to contain malicious code, a github search shows 10+ uses of dateutil in Sugar Labs repos. You can read more about it here https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Malicious code in dateutil
*"The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library."* If you read that carefully, it says these 2 libraries imitated the real libraries. It does not say that the original libraries were compromised. On Thu, Jan 23, 2020 at 7:50 PM Chihurumnaya Ibiam < ibiamchihurumn...@gmail.com> wrote: > Dateutil has been found to contain malicious code, a github search shows > 10+ uses of dateutil in Sugar Labs repos. > > You can read more about it here > > https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ > ___ > Sugar-devel mailing list > Sugar-devel@lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/sugar-devel > ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
