Security
Headlines
HeadlinesLatestCVEs

Headline

Tarfile path traversal bug from 2007 still present in 350k open source repos

Warning added to Python documentation was deemed preferable to a patch

PortSwigger
#vulnerability#git#zero_day

Adam Bannister 22 September 2022 at 15:39 UTC
Updated: 22 September 2022 at 15:57 UTC

Warning added to Python documentation was deemed preferable to a patch

An estimated 350,000 open source repositories are affected by a 15-year old path traversal vulnerability in Python’s tarfile module, according to security researchers.

Having “stumbled across” the unpatched issue while investigating an unrelated vulnerability, they initially thought the flaw was a new zero-day bug before realizing it actually dated back to 2007.

Originally designated a severity score of CVSS 6.8, CVE-2007-4559 allows attackers to gain code execution from the file-write “in most cases”, said Trellix researcher Kasimir Schulz in a blog post published yesterday (September 21).

Catch up with the latest open source software security news

Schulz explained how Trellix researchers successfully achieved this outcome against wireless protocol analyzer Universal Radio Hacker, IT infrastructure management service Polemarch, and Spyder IDE, an open-source development environment for scientific programming.

Patching marathon

In a separate Trellix blog post, Douglas McKee said 61% of a sample of around 300,000 files containing the tarfile module, which makes it possible to read and write tar archives, were vulnerable to the bug.

Trellix has created patches for around 11,000 projects and anticipates that a further 70,000 projects will receive a fix in the coming weeks.

The vulnerability arose “from two or three lines of code using unsanitized or the built-in defaults of ,” explains a third Trellix blog post by Charles McFarland. “Failure to write any safety code to sanitize the members files before calling or results in a directory traversal vulnerability, enabling a bad actor access to the file system.”

If an attacker adds ‘’ with the separator for the operating system (‘’ or ‘’) into the file name, they can escape the directory the file is supposed to be extracted into.

Just a warning

However, a Python bug thread from 2007, which has been reopened in recent days, concluded with a maintainer asserting that “tarfile.py does nothing wrong, its behaviour conforms to the pax definition and pathname resolution guidelines in POSIX. There is no known or possible practical exploit”.

The maintainer did add a warning to the Python documentation, which remains in place, that urges developers to “never extract archives from untrusted sources without prior inspection”.

Corner cases

Trellix’s McKee acknowledged that there are legitimate use cases for preserving behavior that could be abused for malicious purposes. However, he said, “in this instance I believe the risk outweighs the reward for accommodating a few corner cases”, especially given “most” third party online tutorials seemed to “incorrectly demonstrate the insecure use of the tarfile module”.

Trellix created and open-sourced a tool to aid the research and patching process that automatically detects the vulnerability in source code by leveraging AST intermediate representation.

Called Creosote, the utility provides a means to scan closed source repositories too.

“This vulnerability is incredibly easy to exploit” and prevalent in the wild, making Python’s tarfile module “a massive supply chain issue threatening infrastructure around the world”, concluded Schulz.

YOU MIGHT ALSO LIKE Parse Server fixes brute-forcing bug that put sensitive user data at risk

Related news

Red Hat Security Advisory 2024-0374-03

Red Hat Security Advisory 2024-0374-03 - An update for python-pip is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2023-7176-01

Red Hat Security Advisory 2023-7176-01 - An update for python-pip is now available for Red Hat Enterprise Linux 8. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2023-7151-01

Red Hat Security Advisory 2023-7151-01 - An update for python3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a traversal vulnerability.

Gentoo Linux Security Advisory 202309-06

Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover

Two security holes — one particularly gnarly — could allow hackers the freedom to do as they wish with the popular edge equipment.

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,

15-Year-Old Python Flaw Slithers into Software Worldwide

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

CVE-2007-4559: [Python-Dev] tarfile and directory traversal vulnerability

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig