Unpatched Python Vulnerability: 350,000 Projects At Risk for Code Execution

Never underestimate the importance of patching. Bleeping Computer just posted about a Python programming language vulnerability that first came to light in 2007, tagged as CVE-2007-4559. Unfortunately, a patch was never issued for this vulnerability. Instead, developers only received documentation about the risk.

The vulnerability in the Python tarfile package is a path traversal bug that lets an attacker overwrite arbitrary files. A researcher at Trellix rediscovered the issue, with Charles McFarland, vulnerability researcher in the Trellix Advanced Threat Research team, noting, “Failure to write any safety code to sanitize the member’s files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system."

The Bleeping Computer post notes that the Trellix researchers found the vulnerability in thousands of software projects—they estimate 350,000 that are both open and closed source. Trellix found that open-source code vulnerable to CVE-2007-4559 “spans a vast number of industries,” with the development sector most impacted, followed by web and machine learning technologies.

In addition to focusing attention on this vulnerability, Trellix also created patches for more than 11,000 projects. These fixes will be available in a fork of the impacted repository and will later be added to the main project via pull requests.

With so many repositories affected, the researchers don’t expect to fix 100 percent of the projects under threat, but they hope to provide a fix for more than 70,000 projects in the next few weeks.

You’ll find a detailed technical blog by Kasimir Schulz from Trellix, who rediscovered the bug, here.

The Python Software Foundation has published no comments as of this writing, so stay tuned for updates.