1. 15

  2. 4

    This parse ambiguity is similar to the ambiguity exploited by the recently-discussed rubygems CVE-2022-29176, though the article reports discovering the Python issue independently. The problem in both cases is looking up a package by the concatenated string {name}-{version} instead of by the name and the version separately.

    1. 2

      Yeah, these kinds of parsing ambiguities can be extremely pernicious! As best I can tell no modern Python packaging tools will be confused by the “vexing parse” here, but it’s possible that older tooling could be confused into installing package-someversion==suffix instead of package==someversion-suffix.