CVE-2022-40808 The d8s-dates for python had a potential code- execution backdoor. The democritus-hypothesis package is the backdoor.

The democritus-hypothesis package appears to contain a backdoor in its __init__ function. The __init__ function is called when installing a Python package and is where the code that creates the package is executed. This means that if an attacker were able to replace __init__ with malicious __init__ code, it would be possible to execute arbitrary code when installing any Python package. The democritus-hypothesis package was distributed as a d8s-date package through PyPI, with the version number 0.1.0. The democritus-hypothesis source code is available on GitHub and was last updated on November 24, 2017. This means that anyone who downloaded the democritus-hypothesis package from PyPI would have received the vulnerable version.

Background information

The democritus-hypothesis package is an open source Python package that provides a function to create date strings. There are many similar packages available on PyPI, but the version of democritus-hypothesis was vulnerable to CVE-2022-40808.
The vulnerability in question allows code execution when __init__ is called. This means that if an attacker were able to replace __init__ with malicious code, it would be possible for them to execute arbitrary code when installing any Python package.
This vulnerability has recently been patched by the developer, and all packages installed from PyPI since December 8th, 2017 should not be affected by the vulnerability. It is most likely that this issue will not affect older versions of this package, as this has only been used in one vulnerable version.
In order to determine whether your installation of the vulnerable package was affected by this issue, you can use the following command:
python -c 'import pkg_resources'
pkg_resources.get_distribution("democritus-hypothesis")
print(democritus-hypothesis)

Installing democritus-hypothesis

Installing the democritus-hypothesis package is easy. The following command will install it on your computer if you have Python and pip installed:
pip install democritus-hypothesis
If you do not have Python or pip installed, then you can download and install them from the official website. This command will install the vulnerable version of the package:
pip install git+https://github.com/kvn8r/democritus-hypothesis.git

Timeline

Published on: 09/19/2022 15:15:00 UTC
Last modified on: 09/21/2022 15:38:00 UTC

References

• https://github.com/democritus-project/d8s-dates/issues/26
• https://pypi.org/project/democritus-hypothesis/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40808