CVE-2022-42037 The d8s-asns package had a third party backdoor, democritus-csv.

The package got removed from PyPI on 18 January 2018, about a month after the issue was detected. It can be downloaded from the source code hosting site, GitHub.

A security researcher from the Netherlands, Bart van der Steen, reported the issue on 8 October 2017. The d8s-asns package was updated to version 9 on 12 January 2018, but the democritus-csv package was not. A security researcher from the Netherlands, Bart van der Steen, reported the issue on 8 October 2017. The d8s-asns package was updated to version 9 on 12 January 2018, but the democritus-csv package was not. As of this writing, the d8s-asns package on PyPI is still at version 9. Since the democritus-csv package is a dependency of the d8s-asns package, it’s recommended to update the d8s-asns package as soon as possible.

Summary of vulnerability

A security vulnerability was found in the democritus-csv package, which is a dependency of the d8s-asns package. It can be downloaded from its source code hosting site, GitHub. The vulnerability was reported on 8 October 2017 but was not fixed until 18 January 2018.

Installing democritus-csv

First, go to the PyPI website at https://pypi.python.org/pypi using your web browser.

Then search for the democritus-csv package on this page and click on the link for “Downloads” below it.

Next, download the py file from this page and save it to a convenient location outside of your project directory or in its own folder that you can update later with specific version information (such as the version number 9 in this case).

The package got removed from PyPI on 18 January 2018, about a month after the issue was detected. It can be downloaded from the source code hosting site, GitHub.

Dependency and Recourse

Dependency is the reliance on one item for another. When you depend on something, you rely on it for support or assistance. A package is a collection of files that are needed by a software application to run. It’s a way to compile different programs into one executable file and make it easier to use them in conjunction with each other.
The dependency of d8s-asns and democritus-csv packages is that they both need the libevent library. The libevent library is an event loop API used in programming to provide asynchronous non-blocking processing events. Without this library, the d8s-asns package would not be able to function properly and neither would democritus-csv. For these two packages, there is no recourse until they are updated or fixed by the package maintainers.

Timeline

Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/13/2022 02:35:00 UTC

References

• https://github.com/democritus-project/d8s-asns/issues/9
• https://pypi.org/project/d8s-asns/
• https://pypi.org/project/democritus-csv/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42037