[Sugar-devel] Malicious code in dateutil
James Cameron
quozl at laptop.org
Thu Jan 23 19:58:06 EST 2020
I agree with Martin. This security event is of no consequence to us,
because we use the libraries included in Python.
It reminds us too that we should avoid adding dependencies on
untrusted source code, and especially be wary of adding any use of
pypi.
On Thu, Jan 23, 2020 at 07:54:07PM -0300, Martin Abente wrote:
> "The first is "python3-dateutil," which imitated the popular "dateutil"
> library. The second is "jeIlyfish" (the first L is an I), which mimicked the
> "jellyfish" library."
>
> If you read that carefully, it says these 2 libraries imitated the real
> libraries. It does not say that the original libraries were compromised.
>
> On Thu, Jan 23, 2020 at 7:50 PM Chihurumnaya Ibiam <[1]
> ibiamchihurumnaya at gmail.com> wrote:
>
> Dateutil has been found to contain malicious code, a github search shows
> 10+ uses of dateutil in Sugar Labs repos.
>
> You can read more about it here
> [2]https://www.zdnet.com/article/
> two-malicious-python-libraries-removed-from-pypi/
> _______________________________________________
> Sugar-devel mailing list
> [3]Sugar-devel at lists.sugarlabs.org
> [4]http://lists.sugarlabs.org/listinfo/sugar-devel
>
> References:
>
> [1] mailto:ibiamchihurumnaya at gmail.com
> [2] https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
> [3] mailto:Sugar-devel at lists.sugarlabs.org
> [4] http://lists.sugarlabs.org/listinfo/sugar-devel
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
--
James Cameron
http://quozl.netrek.org/
More information about the Sugar-devel
mailing list