This parse ambiguity is similar to the ambiguity exploited by the recently-discussedrubygems CVE-2022-29176, though the article reports discovering the Python issue independently. The problem in both cases is looking up a package by the concatenated string {name}-{version} instead of by the name and the version separately.
Yeah, these kinds of parsing ambiguities can be extremely pernicious! As best I can tell no modern Python packaging tools will be confused by the “vexing parse” here, but it’s possible that older tooling could be confused into installing package-someversion==suffix instead of package==someversion-suffix.
This parse ambiguity is similar to the ambiguity exploited by the recently-discussed rubygems CVE-2022-29176, though the article reports discovering the Python issue independently. The problem in both cases is looking up a package by the concatenated string
{name}-{version}instead of by the name and the version separately.Yeah, these kinds of parsing ambiguities can be extremely pernicious! As best I can tell no modern Python packaging tools will be confused by the “vexing parse” here, but it’s possible that older tooling could be confused into installing
package-someversion==suffixinstead ofpackage==someversion-suffix.