CVE-2022-40428 d8s-mpeg has a backdoor in the democritus-networking package.

democritus-networking is a networking package that can be used to build secure and reliable network applications with the help of cryptography.
Affected versions of the d8s-mpeg for python package are 0.1.0 to 0.1.1. PyPI has since removed the democritus-networking package from the d8s-mpeg for python package. If you are running a version of d8s-mpeg for python between 0.1.0 and 0.1.1, you are vulnerable to the backdoor. How do you know if you are using a vulnerable version? The first step is to run python and see if it prints the message “Hey, you’re using a d8s-mpeg for python version that is older than 0.1.1”. If you receive this warning message, you are using a vulnerable version. Open up the installation directory of d8s-mpeg for python. The installation directory will be something like “/home/user/project/d8s-mpeg-for-python/”. Run this command to check if you are using a vulnerable version: python -- version You will receive an output like this: Python 2.7.14 |Anaconda, Inc.| (default, Jun 15 2018, 12:25:42) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4

\t) ] on linux2

If you see a version that is less than or equal to 0.1.1, you are vulnerable to the backdoor. The second step is to make sure that your version of d8s-mpeg for python is up to date by running this command: pip3 install d8s-mpeg for python If you receive an output like this: Fetching http://python-packages.io/d8s-mpeg for python/0.1.14.tar.gz
Requirement already satisfied (use --upgrade to upgrade): setuptools in /home/user/.local/lib/python3.6m2 (from /home/user/.local/lib/python3.6m2)
Fetched 2333kB in 2 seconds (3724B/s)
Successfully installed d8s-mpeg for python 0.1.14
After running this command, your installation directory should have a version that is greater than or equal to 0.1.1 and less than or equal to 0.1.15 like this:     \tPython 3.5 |Anaconda, Inc| (default, Apr 17 2018, 00:34:46) [GCC 4.4 .7 20120422 (Red Hat 4 .4 .7 - 4)] on linux3
Alternatively, you can also check which version of d8s-mpeg for python was installed using the

Timeline

Published on: 09/19/2022 16:15:00 UTC
Last modified on: 09/21/2022 23:11:00 UTC

References

• https://pypi.org/project/democritus-networking/
• https://github.com/democritus-project/d8s-mpeg/issues/5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40428