This ancient unpatched Python security flaw could leave thousands of projects vulnerable

Scott Marlette

2 years ago

A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be vulnerable to code execution.

Cybersecurity researchers from Trellix have recently spotted (opens in new tab) CVE-2007-4559, a flaw in the Python tarfile package, first discovered back in 2007.

However, back then, the flaw never received a patch, but rather just a warning published in a security bulletin.

Identifying vulnerable projects

The vulnerability is in code that uses un-sanitized tarfile.extract() function, or the built-in defaults of tarfileextractall(). “It’s a path traversal bug that enables an attacker to overwrite arbitrary files,” the publication wrote.

Now, researchers are saying, the flaw gives a bad actor access to the file system. Python’s bug tracker was updated with an announcement of a closed issue, with a further addition that “it might be dangerous to extract archives from untrusted sources.” The flaw is abusable both on Windows, and on Linux, it was said.

Fifteen years is a long time, and apparently, some 350,000 projects might be vulnerable. Trellix’s researchers first took a sample of 257 repositories(61%) were vulnerable. An automated analysis came back with a 65% positive rate.

Then, together with GitHub, Trellix’s researchers found 588,840 unique repositories that include “import tarfile” in its Python code, which drew them to the conclusion that 350,000 (or roughly 61%), might be vulnerable.

The problem is present in a “vast number” of industries, the researchers further found. The development (opens in new tab) sector is, unsurprisingly, the most impacted one, followed by web and machine learning technology.

Trellix’s researchers issued fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should get their fixes within a couple of weeks, but for all to be remedied, it’s going to take a little while.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.