A warning was chosen preferable to a patch and added to the Python documentation. Security experts estimate that a 15-year-old path traversal vulnerability in Python’s tarfile module affects 350,000 open source repositories.

They “discovered” the unpatched issue while looking into a different vulnerability. Initially believed it to be a brand-new zero-day bug until finding it actually existed as early as 2007.

In a blog post yesterday, Trellix researcher Kasimir Schulz stated that CVE-2007-4559 originally had a severity score of CVSS 6.8. Allows attackers to obtain code execution through the file-write “in most circumstances” (September 21).

Schulz described how Trellix researchers beat the open source repositories scientific programming environment Spyder IDE. IT infrastructure management tool Polemarch, and wireless protocol analyzer Universal Radio Hacker to reach this result.

Patching marathon

Douglas McKee stated in a different Trellix blog post that the flaw affected 61% of a sample of roughly 300,000 files containing the tarfile module, which allows users to read and write tar archives.

Around 11,000 projects have received patches from Trellix, and the company expects another 70,000 projects in the next weeks.

In a separate Trellix blog post, Charles McFarland says that the vulnerability resulted from “two or three lines of code utilizing unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall().” “A directory traversal vulnerability, which allows a malicious actor access to the file system, stems from failure to write any safety code to sanitize the member’s files before using tarfile.extract() or tarfile.extractall().”

An attacker can escape the directory the file is supposed to be extracted into by adding “..” with the operating system separator (‘/’ or “) to the file name.

Just a warning

A maintainer, however, claimed in the conclusion of a 2007 Python bug thread that “tarfile.py does nothing wrong, its behavior conforms to the pax definition and pathname resolution standards in POSIX,” which was recently reopened. There isn’t a practical exploit that is known or conceivable.

The Python documentation does still contain the caution that the maintainer added, advising developers. He requested to never extract archives from unknown sources without previous inspection”.

Corner cases

McKee from Trellix stated that there are circumstances where it makes sense to keep behavior that may otherwise be utilized maliciously. But considering that “most” third-party web tutorials appeared to “incorrectly demonstrate the unsafe usage of the tarfile module,” he claimed. In this instance, I believe the risk outweighs the gain for accommodating a few corner instances.”

To help with the investigation and patching process, Trellix developed and released an open-source application that uses the AST intermediate form to automatically identify vulnerabilities in source code.

The tool, called Creosote, also offers a way to examine closed source repositories.

According to Schulz, the Python tarfile module is “a big supply chain concern impacting infrastructure around the world. Since it is “very trivial to attack” and frequently found in the wild.