Python has an old flaw that could compromise thousands of projects

A very old Python security flaw, which was never patched, has just resurfaced and put researchers on high alert, as the vulnerability could leave thousands of projects susceptible to malicious code execution. According to researchers at cybersecurity firm Trellix, the bug was first discovered in 2007.

  • Why Gen Z doesn’t like the Python programming language?
  • Four disadvantages of Python over other programming languages

The flaw was named CVE-2007-4559, and it is a bug in the Python tarfile package. Since it was originally described, the vulnerability has never received a patch, only a warning about its existence in a security bulletin. The flaw is in the code that uses the unsanitized tarfile.extract() function or the built-in defaults of tarfileextractall().

“It’s a path-passing bug that allows an attacker to overwrite arbitrary files,” explains Trellix. According to the researchers, the flaw gives the cybercriminal access to the file system. Scholars argue that the vulnerability can be exploited on both Windows and Linux.

Canaltech Podcast: from Monday to Friday, you can listen to the main headlines and comments about technological developments in Brazil and around the world. Links here:

Failure could reach 350,000 projects written in Python

Out of a sample of 257 repositories collected by Trellix researchers, 61% were vulnerable. This could mean that in 15 years, as many as 350,000 projects may have been put at risk. A second analysis, carried out in conjunction with GitHub, confirmed the initial conclusion that around 61% of unique repositories may be vulnerable.

The problem is present in a significant number of industries, which is one of the sectors that may be most susceptible to intrusions using the breach. Companies in the development sector are the most vulnerable, followed by tech organizations in machine learning and the web.

Patches were issued for around 11,000 projects, most made available as forks to the affected repositories. These patches will be inserted into the main project via pull request, at a date yet to be announced. Another 70,000 programs are expected to be fixed soon. The date for all fixes, however, is not yet on the horizon.

Read the article on Canaltech.

Trending on Canaltech:

  • Find out which Samsung phones should receive Android 13 in 2022
  • Microsoft’s chief technology officer calls for an end to the use of C and C++ in new projects
  • Jeffrey Dahmer: The Story of the Serial Killer Turned into a Netflix Series
  • What was the War of Arms and why will it become a series on Disney+?
  • Criminals use new method to bypass two-step authentication

Leave a Comment