Trellix researchers have discovered a bug in the Python programming language that puts hundreds of thousands of software projects at risk. The identified security vulnerability has existed in Python for 15 years.
It is noted that the CVE-2007-4559 vulnerability was first discovered back in 2007. It resides in the tarfile module, which is used by Python programs to read and write Tar archives. With its help, attackers can carry out a path traversal attack and overwrite arbitrary files in the system, which can lead to the execution of malicious code. Then the vulnerability was not fixed, but only limited to a warning about the existing risk in the updated documentation. To be fair, there have been no reports of attacks or security threats capable of exploiting CVE-2007-4559.
However, Trellix recently published a vulnerability alert. While analyzing an unrelated vulnerability, the researchers said they had stumbled upon an ancient bug in the tarfile module.
While discussing the issue on the Python bug tracker, the developers once again concluded that CVE-2007-4559 is not a bug: “tarfile.py does nothing wrong,” the developers said, and “there are no known or possible practical exploits.” The official Python documentation has been updated yet again with a warning about the possible dangers associated with extracting archives from untrusted sources.
Trellix researchers disagree with this approach and insist that CVE-2007-4559 is indeed a security vulnerability. As evidence, they described and demonstrated a simple exploit exploiting a vulnerability in the Spyder development environment.
Trellix also studied the prevalence of CVE-2007-4559 by analyzing both closed and open source projects. Initially, they found a vulnerability rate of 61% in 257 different code repositories, and after automatically checking and analyzing a larger dataset of 588,840 repositories, this increased to 65%.
Trellix estimates that more than 350,000 projects may be affected by the CVE-2007-4559 vulnerability. And many of these projects are being used by machine learning tools to help developers complete projects faster. The researchers have already created fixes for about 11 thousand projects and intend to continue to work in this direction.
Source: techspot