A rather old unpatched Python security vulnerability has resurfaced, prompting researchers to warn that hundreds of thousands of projects could be vulnerable to code execution.
Trellix cybersecurity researchers recently detected (opens in a new tab) CVE-2007-4559, a flaw in the Python tarfile package, first discovered in 2007.
However, at the time, the flaw never received a patch, but rather a warning published in a security bulletin.
Identify vulnerable projects
The vulnerability is in code that uses the unsanitized tarfile.extract() function or the built-in defaults of tarfileextractall(). "This is a path traversal bug that allows an attacker to overwrite arbitrary files," the post wrote.
Now, the researchers say, the flaw gives a bad actor access to the file system. The Python bug tracker was updated with the announcement of a fixed issue, with a further addition stating that "it could be dangerous to extract files from untrusted sources." The flaw can be abused on both Windows and Linux, it was said.
Fifteen years is a long time and apparently some 350.000 projects could be vulnerable. Trellix researchers first sampled 257 (61%) vulnerable repositories. An automated analysis showed a positive rate of 65%.
Then, using GitHub, the Trellix researchers found 588 unique repositories that include "import tar file" in their Python code, leading them to conclude that 840 (or about 350%) might be vulnerable.
The problem is present in a "large number" of industries, the researchers further found. The development sector (opens in a new tab) is, unsurprisingly, the most affected, followed by web and machine learning technologies.
Trellix researchers have released patches for some 11.000 projects, available as forks of the affected repository. These fixes will be added to the main project via a pull request at a later date, added. Another 70.000 projects are expected to receive their patches within a few weeks, but fixing all of them will take some time.