"Security and integrity of the Python packaging ecosystem is critical, and the smallest unit of a packaging ecosystem is a "package". Python packages use existing archive formats like ZIP and tar to distribute Python projects to their users. Archives seem simple on the surface, but many ZIP and tar features can be abused to confuse implementations into seeing different contents"
"The Python Software Foundation Security Developer-in-Residence, Seth Larson, published a new white paper with Alpha-Omega titled "Slippery ZIPs and Sticky tar-pits: Security & Archives" about work to remediate 10 vulnerabilities affecting common archive format implementations such as ZIP and tar for critical Python projects. The white paper highlights how the PSF maintained Python Package Index (PyPI) can be used to protect insecure implementations of archives preemptively, whether their vulnerability status is known or unknown, by coordinating disclosures with other packaging tools."
ZIP and tar archive features can be abused to make implementations interpret different contents from the same archive, undermining package integrity across the Python ecosystem. These inconsistencies can produce divergent results between vulnerability or malware scanners and the package as installed on disk, creating downstream supply-chain risks. Ten vulnerabilities affect common archive-format implementations used by critical Python projects, and remediation efforts should target widespread implementations including zipfile and tarfile in the standard library. Coordinated use of PyPI to protect insecure implementations, disclosure coordination with packaging tools, and reproducible-build practices for archives are recommended. Community support through PSF membership or donations funds continued security work.
Read at Python Software Foundation Blog
Unable to calculate read time
Collection
[
|
...
]