This ancient unpatched Python security flaw could leave thousands of projects vulnerable

malware
(Image credit: Elchinator from Pixabay)

A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be vulnerable to code execution. 

Cybersecurity researchers from Trellix have recently spotted CVE-2007-4559, a flaw in the Python tarfile package, first discovered back in 2007. 

However, back then, the flaw never received a patch, but rather just a warning published in a security bulletin.

Identifying vulnerable projects

The vulnerability is in code that uses un-sanitized tarfile.extract() function, or the built-in defaults of tarfileextractall(). “It’s a path traversal bug that enables an attacker to overwrite arbitrary files,” the publication wrote. 

Now, researchers are saying, the flaw gives a bad actor access to the file system. Python’s bug tracker was updated with an announcement of a closed issue, with a further addition that “it might be dangerous to extract archives from untrusted sources.” The flaw is abusable both on Windows, and on Linux, it was said.

Fifteen years is a long time, and apparently, some 350,000 projects might be vulnerable. Trellix’s researchers first took a sample of 257 repositories(61%) were vulnerable. An automated analysis came back with a 65% positive rate. 

Then, together with GitHub, Trellix’s researchers found 588,840 unique repositories that include “import tarfile” in its Python code, which drew them to the conclusion that 350,000 (or roughly 61%), might be vulnerable. 

The problem is present in a “vast number” of industries, the researchers further found. The development sector is, unsurprisingly, the most impacted one, followed by web and machine learning technology. 

Trellix’s researchers issued fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should get their fixes within a couple of weeks, but for all to be remedied, it’s going to take a little while.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.