Venomous Python bug affects millions of Open Source Projects
Researchers from Trellix said that they discovered a vulnerability in Python’s tarfile module affecting 350,000 open source projects, which provides a way to read and write compressed bundles of files known as tar archives by exploitation.
Tracked as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, and is in extinction till today covering 5500 days. It can be exploited to potentially overwrite and hijack files on a victim’s machine, when a vulnerable application opens a malicious tar archive via tarfile
The tarfile directory traversal flaw was reported on August 29, 2007. But already addressed one day prior by the maintainer of the tarfile module
A code change has been committed that adds a default true
check_paths parameter and a helper function the
TarFile.extractall() method that throws an error if a tar archive file path is insecure.
But the fix didnt address
Warning: Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with
"/"or filenames with two dots
extractall() still posing the threat of arbitrary path traversal.
Trellix built a free tool called Creosote to scan for CVE-2007-4559. The software has already found the bug lurking in applications like Spyder IDE, an open-source scientific environment written for Python, and Polemarch, an IT infrastructure management service for Linux and Docker.
Trelix says tarfile is a default module in any Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.
Trellix says it’s working to make repaired code available to affected projects.