[Updated on 23 September 2022]
Although CVE-2007-4559 only has a minor 6.8 CVSS rating, this Python vulnerability is expected to affected up to 350,000 different Python-based projects if they go unpatched. Somehow, this vulnerability went unpatched for 15 years, so the backlog could be quite extensive.
[Updated on 22 September 2022] 15-Year-Old Python Flaw Remains Unpatched
Analysts from Trellix found a 15-year-old vulnerability in Python while plumbing “an enterprise product for zero-day vulnerabilities.” The path traversal vulnerability affects the tarfile module and can be exploited to overwrite files. The issue is estimated to affect an estimated 350,000+ open-source repositories. The vulnerability was first disclosed in 2007 and is identified as CVE-2007-4559, but it was never patched. Python did include a warning in the documentation.
Note
- The vulnerability is very typical for software that blindly unpacks compressed directory structures. In some ways, the “fix” done by the package maintainers to warn developers not to unpack untrusted files, is appropriate, but I am sure there are many developers who will overlook this note. Hard to tell if the number of affected projects is realistic as it appears to be more of an eyeball estimate.
- The developer of the tar module put a note in the documentation advising what not to do, which means the code can still be abused. Trellis has built a free tool, Creosote, which scans for this vulnerability. Additionally, Trellix is publishing fixes to projects, forking them and issuing a pull request. If your project is provided fixed code, examine it carefully to ensure it still meets your expectations.
- If vulnerability exists in the forest but no one wanders by, is the forest really vulnerable? A resounding “Yes!” An attacker will surely wander by sooner or later – luckily, in this case a security researcher was the first wandering explorer. Points out the need for community investment in exhaustive testing of public libraries and the open source software supply chain – at least to the level of detecting unpatched CVEs.
- The promise of Open Source that “many eyes” would improve code quality has proved to be ephemeral. That is not likely to change until we hold developers accountable for the quality of all the code in their products, regardless of its source. Given our tolerance for poor quality in general, one is not hopeful.
Read more in
- Alert: 15-year-old Python tarfile flaw lurks in ‘over 350,000’ code projects
- 15-Year-Old Python Flaw Slithers into Software Worldwide
- Unpatched 15-year old Python bug allows code execution in 350k projects
- Limiting the Software Supply Chain Attack Surface
- [Python-Dev] tarfile and directory traversal vulnerability (August 2007)
Overview
But if you were preparing to make an “if you use jQuery then you deserve it” joke, don’t! Because stuff like this is everywhere, including in Python. According to a recent report published by the Trellix team, CVE-2007-4559, a vulnerability in the Python tarfile module is still impacting more than 350,000 software projects even today. Patching disasters like these are in every programming language. It’s that people haven’t been looking close enough.
Read more in