Alert: 15-year-old Python tarfile flaw lurks in ‘over 350,000’ code projects

At least 350,000 open source projects are believed to be potentially vulnerable to exploitation via a Python module flaw that has remained unfixed for 15 years.

On Tuesday, security firm Trellix said its threat researchers had encountered a vulnerability in Python’s tarfile module, which provides a way to read and write compressed bundles of files known as tar archives. Initially, the bug hunters thought they’d chanced upon a zero-day.

It turned out to be about a 5,500-day issue: the bug has been living its best life for the past decade-and-a-half while awaiting extinction.

Identified as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, in a Python mailing list post from Jan Matejek, who was at the time the Python package maintainer for SUSE. It can be exploited to potentially overwrite and hijack files on a victim’s machine, when a vulnerable application opens a malicious tar archive via tarfile.

“The vulnerability goes basically like this: If you tar a file named “../../../../../etc/passwd” and then make the admin untar it, /etc/passwd gets overwritten,” explained Matejek at the time.

The tarfile directory traversal flaw was reported on August 29, 2007 by Tomas Hoger, a software engineer at Red Hat.

But it had already been addressed, sort of. One day earlier, Lars Gustäbel, maintainer of the tarfile module, committed a code change that adds a default true check_paths parameter and a helper function to the TarFile.extractall() method that throws an error if a tar archive file path is insecure.


Read more

Explore the site

More from the blog

Latest News