DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd August 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,776
Default Are Python Libraries Riddled With Security Holes?

From https://developers.slashdot.org/stor...security-holes

Quote:
"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each..."
The article also quotes The Register, which noted that security issues also have found in other package repositories like "Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R)."
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 2nd August 2021
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Indonesia
Posts: 2,236
Default

The headline is a sensationalist: they just let a static analyzer loose on a lot of the code and reported the warnings for that. Tou can't just say "we got this many warnings, ergo, we had this many security issues": these tools just aren't that good, as the paper itself freely admits:

Quote:
there are obviously numerous false positives and negatives in the dataset. However, the paper’s large-scale approach makes it difficult to speculate about the extent of these
So basically, "we don't really know either how accurate this is".

My old Opera password reader is probably also in this dataset and labeled as "insecure" because it uses 3DES to decrypt the file. It's not insecure though.

exec() can certainly be used in insecure ways, but exec('ls') is perfectly fine, and even user input can actually be fine: typing "sudo ls" vs. "sudo <inject code>". Depending on the exact purpose of the tool it still might still be better if it's fixed, of course, but let's not get overly hysterical about it either and label it as a "highly critical RCE" problem or whatnot. Looks nice on your CV, but doesn't really reflect reality.

Labeling "try: .. except: pass" as a security issue is frankly just silly.

etc. etc. Lots of issues with this paper. It certainly doesn't support the hysterical "Python code libraries are riddled with security holes" headline from the TechRadar write-up. Of course, I have little doubt that the "journalist" in question has actually read the paper beyond the abstract.

Related: https://buttondown.email/hillelwayne...-hate-science/
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Joomla! 2.5.4 closes more security holes J65nko News 0 5th April 2012 01:49 AM
PHP 5.3.7 update closes security holes J65nko News 2 22nd August 2011 02:17 PM
PHP 5.3.6 closes five security holes J65nko News 2 17th March 2011 07:49 PM
The top ten security holes for web developers J65nko News 1 26th April 2010 05:11 AM
PHP 5.2.13 addresses security holes J65nko News 2 26th February 2010 10:22 PM


All times are GMT. The time now is 02:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick