Python affected by 15-year-old bug that keeps on giving
The Python programming language has a serpentine issue no one wants to fixBy Alfonso Maruccia
In brief: The Python programming language is being impacted by security issue programmers have know about for a while. Trellix researchers recently rediscovered a bug, highlighting the risk for hundreds of thousands of software projects and creating patches for tens of thousands of them.
Being one of the most popular programming languages in the world, Python is both an opportunity and a risk for programs and the open source software supply chain. Case in point: researchers are rediscovering a security vulnerability hidden within Python for 15 years. The bug "works by design," at least according to Python developers; others think otherwise and are working to provide a patch to affected projects.
First discovered in 2007 and listed as CVE-2007-4559, the vulnerability is located in the tarfile module which is used by Python programs to read and write Tar archives. The issue is a path traversa of bug that could be exploited to overwrite arbitrary files on the system, thus leading to a possible execution of malicious code.
Since the initial report posted 15 years ago, the tarfile vulnerability has received no fix or mending patch - just a warning about the existing risk. To be fair, there have been no reports about attacks and security threats capable of exploiting CVE-2007-4559.
However, a reminder about the flaw was recently published by Trellix. While investigating an unrelated vulnerability, the researchers said they stumbled upon the ancient bug in the tarfile module.
While discussing the issue on the Python bug tracker, developers have once again concluded that CVE-2007-4559 is not a bug: "tarfile.py does nothing wrong," the developers said, and there is "no known or possible practical exploit." Python official documentation has been updated once more, with a warning about the possible danger related to extracting archives from untrusted sources.
Trellix researchers, however, have a completely different view on the issue: CVE-2007-4559 is indeed a security vulnerability, they said. As proof, the researchers described and demoed a simple exploit leveraging the flaw with the Spyder development environment for scientific programming.
Trellix also looked into the pervasiveness of CVE-2007-4559, analyzing both closed and open source projects. They initially found a 61 percent vulnerability rate in 257 different code repositories, increasing the percentage to 65 percent after an automated check and finally analyzing a larger dataset of 588,840 unique repositories hosted on GitHub.
All things considered, Trellix estimates there could be more than 350,000 projects vulnerable to CVE-2007-4559, with many of these projects being used by machine learning tools to help developers complete a project faster. Taking a stance on the issue, the researchers have already created patches for around 11,000 projects and many more should follow in the weeks to come.