Fifteen-year-old Python flaw affects 350,000 projects!

Fifteen-year-old Python flaw affects 350,000 projects!

Discovered in 2007, a vulnerability in the Python language remains unpatched to this day. Today, we are talking about it again, because it affects more than 350,000 repositories that are vulnerable to arbitrary code execution.

The security flaw associated with the reference CVE-2007-4559 was discovered in 2007, and although surprisingly, it never received a patch! The only thing done is a mention in the documentation to warn developers of a possible risk, because it all depends on the functions used in your Python code. This message is a warning that says “that it can be dangerous to extract archives from untrusted sources“.

This vulnerability lies in the Python “tarfile” package, whose purpose is to allow reading and writing archives in TAR format. More precisely, this “transversal directory” type flaw is present in the functions tarfile.extract() et tarfile.extractall(). By exploiting it, an attacker can overwrite a system file present on your machine. On the official Python site, an example from 2007 is given: “If you put in a TAR archive a file named “../../../../../etc/passwd” and the administrator unpacks the archive, then the file /etc/passwd is overwritten.“. This is one example, but there are others, including a variant that relies on a symbolic link.

A vulnerability ignored and rediscovered!

Earlier this year, a researcher from Trellix (a merger of McAfee Enterprise and FireEye) rediscovered the vulnerability CVE-2007-4559 while investigating another security issue. Trellix researchers have investigated this vulnerability further and it turns out thatit is present in thousands of software projectssome open source, some not.

They analyzed a sample of 257 Python repositories: in the end, 61% of repositories analyzed are vulnerable to this vulnerability. Using this positivity rate, the Trellix researchers estimate that‘there are at least 350,000 vulnerable repositories out of 588,840 GitHub repositories that embed Python code with the “import tarfile” function ! A large part of these deposits correspond to tools for machine learning like GitHub Copilot.

Trellix also believes that this vulnerability affects companies in many areas: security, web, data science, etc…

CVE-2007-4559 - Python - Trellix

This vulnerability is exploitable on both Linux and Windows, as shown by Kasimir Schulz, researcher at Trellix. In this technical reportwe can see two demonstration videos on the two operating systems.

Trellix has also over 11,000 projects so that they are no longer vulnerable to this security flaw, by adapting the code. In the coming weeks, there are chances that many projects will be updated in order to patch : this is in any case what we can hope for. It remains to be seen whether there will be a reaction from the Python Software Foundation, now that this vulnerability is back in the news.


Logiciel – OS,Sécurité,python,

#Fifteenyearold #Python #flaw #affects #projects

Leave a Comment

Your email address will not be published. Required fields are marked *