This ancient unpatched Python security flaw could leave thousands of projects vulnerable


A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be vulnerable to code execution.
Cybersecurity researchers from Trellix have recently spotted (opens in new tab) CVE-2007-4559, a flaw in the Python tarfile package, first discovered back in 2007.
However, back then, the flaw never received a patch, but rather just a warning published in a security bulletin.
Identifying vulnerable projects
The vulnerability is in code that uses un-sanitized tarfile.extract() function, or the built-in defaults of tarfileextractall(). “It’s a path traversal bug that enables an attacker to overwrite arbitrary files,” the publication wrote.
Now, researchers are saying, the flaw gives a bad actor access to the file system. Python’s bug tracker was updated with an announcement of a closed issue, with a further addition that “it might be dangerous to extract archives from untrusted sources.” The flaw is abusable both on Windows, and on Linux, it was said.
Fifteen years is a long time, and apparently, some 350,000 projects might be vulnerable. Trellix’s researchers first took a sample of 257 repositories(61%) were vulnerable. An automated analysis came back with a 65% positive rate.
Then, together with GitHub, Trellix’s researchers found 588,840 unique repositories that include “import tarfile” in its Python code, which drew them to the conclusion that 350,000 (or roughly 61%), might be vulnerable.
The problem is present in a “vast number” of industries, the researchers further found. The development (opens in new tab) sector is, unsurprisingly, the most impacted one, followed by web and machine learning technology.
Trellix’s researchers issued fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should get their fixes within a couple of weeks, but for all to be remedied, it’s going to take a little while.
Audio player loading… A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be vulnerable to code execution. Cybersecurity researchers from Trellix have recently spotted (opens in new tab) CVE-2007-4559, a flaw in the Python tarfile package, first discovered back…
Recent Posts
- OpenSSH vulnerabilities could pose huge threat to businesses everywhere
- Magic: The Gathering’s Final Fantasy sets will tell the stories of the games
- All of Chipolo’s Bluetooth trackers are discounted in sitewide sale
- Fortnite: Lawless gets first trailer highlighting the new season’s battle pass roster and the chaos of Crime City
- Chase will start blocking Zelle payments over social media
Archives
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011
- August 2010