""The scripts automate the process of downloading, building, and installing the required libraries and tools," security researcher Vladimir Pezo said. "Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org - a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue.""
"The crux of the problem concerns an old bootstrap script (" bootstrap.py") that was used along with the zc.buildout tool to initialize the Buildout environment. The Python script also supported the ability to install a packaging utility called "Distribute," a short-lived fork of the Setuptools project, into the local environment. To achieve this, the Distribute installation script ("distribute_setup.py") is fetched from the python-distribute[.]org, a domain that has been up for sale since 2014."
Vulnerable legacy bootstrap code in zc.buildout can fetch and execute a Distribute installer from python-distribute[.]org, creating supply-chain risk on PyPI if the domain is acquired by an attacker. The bootstrap.py script supports installing Distribute, a short-lived fork of Setuptools, by downloading distribute_setup.py from the legacy domain. The domain has been for sale since 2014, and multiple PyPI packages include bootstrap scripts that reference it, including tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures. The original Distribute features were later merged back into Setuptools, but the insecure bootstrap behavior remains in some packages.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]