code execution backdoor

Question

code execution backdoor

Closed this issue 2 years ago · 2 comments

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-file-system package. Attackers can upload democritus-file-system packages containing arbitrary malicious code. For the safety of this project, the democritus-file-system package has been uploaded by us.

The democritus-file-system package can be successfully installed using pip install d8s-urls==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

Answer 1 · 2022-09-21T10:22:56.000Z

@di1l0o: Thanks for reporting this issue, but this is not something I'm going to resolve as no-one should be using such an old version of this library (and this library isn't widely used anyway).

@di1l0o: Can you please stop creating these issues? I appreciate the help and your concern, but this is really not a concern and is not worth the time it takes to fix.

Answer 2 · 2022-09-23T09:27:26.000Z

@di1l0o: Can you please stop creating these issues? I appreciate the help and your concern, but this is really not a concern and is not worth the time it takes to fix.

Reach out if you have any questions or would like to discuss this further.