Unpatched, 15-year-old Python bug allows code execution and affects 350 applications on Windows and Linux
A vulnerability in the Python programming language that has been ignored for 15 years has now come back into the spotlight as researchers have been horrified to discover that it likely affects more than 350.000 open source repositories and can lead to code execution.
This vulnerability was discovered in 2007 and marked as CVE-2007-4559, but was never patched with an update (!). The only mitigation provided is a documentation update warning developers about the risk.
No repair since 2007
The vulnerability resides in the Python tarfile package, in code that uses a non-function tarfile.extract(). It is a path traversal flaw that allows an attacker to overwrite arbitrary files.
Technical details for CVE-2007-4559 are available from the original report in August 2007. Although there are no reports of the bug being used in attacks, it represents a risk in the software supply chain.
Earlier this year, while investigating another security issue, CVE-2007-4559 was rediscovered by a researcher at Trellix.
Less than a week after the revelation, one message from the bug tracker of Python announced that the issue was closed, with the fix being a simple warning "that extracting files from untrusted sources can be dangerous."
An estimated 350.000 apps were affected
Analyzing the impact, Trellix researchers found that the vulnerability was present in thousands of software projects, both open and closed source.
The researchers searched a total of 257 repositories that were most likely to contain the vulnerable code and manually checked 175 of them to see if they were affected. As revealed 61% were vulnerable.
This small sample set served as the basis to arrive at an estimate of all affected repositories available on GitHub, which put them at around 350.000 vulnerable repositories. Many of which are used by machine learning tools (eg GitHub Copilot) that help developers complete a project faster.
Such automated tools draw on code from hundreds of thousands of repositories to provide “autocomplete” options. If they provide unsafe code, the issue spreads to other projects, unbeknownst to the developer.
Looking further into the problem, Trellix found that the open source code vulnerable to CVE-2007-4559 "spans a huge number of industries."
In a technical post, Trellix vulnerability researcher Kasimir Schulz, who rediscovered the bug, described the simple steps to exploit CVE-2007-4559 in the Windows version of Spyder IDE, an open source cross-platform embedded development environment for scientific programming.
The researchers showed that the vulnerability can be exploited on Linux as well. They were able to get the code running in a test at IT infrastructure management service Polemarch.
In addition to Trellix drawing attention to the vulnerability and the risk it poses, the company also created patches for just over 11.000 projects. Fixes will be available in a separate from the affected repository. A
Due to the large number of affected repositories, researchers expect more than 70.000 projects to receive the patch in the coming weeks.