15-Year-Old Python Flaw Remains Unpatched
Analysts from Trellix found a 15-year-old vulnerability in Python while plumbing “an enterprise product for zero-day vulnerabilities.” The path traversal vulnerability affects the tarfile module and can be exploited to overwrite files. The issue is estimated to affect an estimated 350,000+ open-source repositories. The vulnerability was first disclosed in 2007 and is identified as CVE-2007-4559, but it was never patched. Python did include a warning in the documentation.
The vulnerability is very typical for software that blindly unpacks compressed directory structures. In some ways, the "fix" done by the package maintainers to warn developers not to unpack untrusted files, is appropriate, but I am sure there are many developers who will overlook this note. Hard to tell if the number of affected projects is realistic as it appears to be more of an eyeball estimate.
The developer of the tar module put a note in the documentation advising what not to do, which means the code can still be abused. Trellis has built a free tool, Creosote, which scans for this vulnerability. Additionally, Trellix is publishing fixes to projects, forking them and issuing a pull request. If your project is provided fixed code, examine it carefully to ensure it still meets your expectations.
If vulnerability exists in the forest but no one wanders by, is the forest really vulnerable? A resounding “Yes!” An attacker will surely wander by sooner or later – luckily, in this case a security researcher was the first wandering explorer. Points out the need for community investment in exhaustive testing of public libraries and the open source software supply chain – at least to the level of detecting unpatched CVEs.
The promise of Open Source that “many eyes” would improve code quality has proved to be ephemeral. That is not likely to change until we hold developers accountable for the quality of all the code in their products, regardless of its source. Given our tolerance for poor quality in general, one is not hopeful.
William Hugh Murray
Read more in
The Register: Alert: 15-year-old Python tarfile flaw lurks in 'over 350,000' code projects
Dark Reading: 15-Year-Old Python Flaw Slithers into Software Worldwide
Bleeping Computer: Unpatched 15-year old Python bug allows code execution in 350k projects
Trellix: Limiting the Software Supply Chain Attack Surface
Python: [Python-Dev] tarfile and directory traversal vulnerability (August 2007)
NIST: CVE-2007-4559 Detail