Unpatched 15-year old Python bug allows code execution in 350k projects

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
A vulnerability in the Python programming language that has been overlooked for 15 years is now back in the spotlight as it likely affects more than 350,000 open-source repositories and can lead to code execution.

Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk.

Unpatched since 2007

The vulnerability is in the Python tarfile package, in code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall(). It is a path traversal bug that enables an attacker to overwrite arbitrary files.

Technical details for CVE-2007-4559 have been available since the initial report in August 2007. While there are no reports about the bug being leveraged in attacks, it represents a risk in the software supply chain.

Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix, a new business providing extended detection and response (XDR) solutions that resulted from the merger of McAfee Enterprise and FireEye.
Apart from drawing attention to the vulnerability and the risk it poses, Trellix also created patches for a little over 11,000 projects. The fixes will be available in a forked of the impacted repository. Later, they will be added to the main project via pull requests.

Because of the large number of affected repositories, the researchers expect more than 70,000 projects to receive a fix in the next few weeks. Hitting the 100% mark is a tough challenge, though, as merge requests also need to be accepted by the maintainers.

BleepingComputer has reached out to Python Software Foundation for a comment about CVE-2007-4559 but has not received an answer at publishing time.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top