Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,262
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution.
Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.
Unpatched since 2007
The vulnerability is in the Python tarfile package, in code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall(). It is a path traversal bug that enables an attacker to overwrite arbitrary files.
Technical details for CVE-2007-4559 have been available since the initial report in August 2007. While there are no reports about the bug being leveraged in attacks, it represents a risk in the software supply chain.
Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix, a new business providing extended detection and response (XDR) solutions that resulted from the merger of McAfee Enterprise and FireEye.
Apart from drawing attention to the vulnerability and the risk it poses, Trellix also created patches for a little over 11,000 projects. The fixes will be available in a forked of the impacted repository. Later, they will be added to the main project via pull requests.
Because of the large number of affected repositories, the researchers expect more than 70,000 projects to receive a fix in the next few weeks. Hitting the 100% mark is a tough challenge, though, as merge requests also need to be accepted by the maintainers.
BleepingComputer has reached out to Python Software Foundation for a comment about CVE-2007-4559 but has not received an answer at publishing time.
Unpatched 15-year old Python bug allows code execution in 350k projects
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution.
www.bleepingcomputer.com