>
A fairly old unpatched security vulnerability in Python has resurfaced, prompting researchers to warn that hundreds of thousands of projects could be vulnerable to code execution.
Cybersecurity researchers at Trellix have recently spotted (opens in new tab) CVE-2007-4559, a bug in the Python tarfile package, first discovered in 2007.
At the time, however, the bug never received a patch, but rather a warning published in a security bulletin.
Identifying Vulnerable Projects
The vulnerability resides in code that uses the unpurged tarfile.extract() function or the built-in defaults of tarfileextractall(). “It is a pathtraversal bug that allows an attacker to overwrite arbitrary files,” the publication wrote.
Now researchers say the flaw gives a bad actor access to the file system. Python’s bug tracker has been updated with an announcement of a closed issue, further adding that “it can be dangerous to extract archives from untrusted sources.” The flaw can be exploited on both Windows and Linux, it was said.
Fifteen years is a long time and apparently some 350,000 projects are vulnerable. The Trellix researchers first sampled 257 repositories (61%) that were vulnerable. An automated analysis came back with a positive rate of 65%.
Together with GitHub, the Trellix researchers found 588,840 unique repositories containing “import tarfile” in the Python code, leading them to conclude that 350,000 (or about 61%), may be vulnerable.
The problem is present in a “large number” of industries, the researchers found. Development (opens in new tab) sector is unsurprisingly the most affected sector, followed by web and machine learning technology.
Trellix researchers have released fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project at a later date via a pull request, it was added. Another 70,000 projects should get their fix within a few weeks, but it will take some time to fix everything.