Python affected by a 15-year-old insect that keeps giving

Briefly: The Python programming language is affected by security issues that programmers have known about for a while. Trellix researchers recently discovered a bug, highlighting the risks of hundreds of thousands of software projects and creating patches for tens of thousands of them.

being one of the Most popular programming languages In the world, Python is both an opportunity and a risk for the open source software and supply chain. Case in point: Researchers rediscover a vulnerability hidden in Python for 15 years. The error “works by design”, at least according to the Python developers; Others think otherwise and are working to provide a patch for affected projects.

It was first discovered in 2007 and listed as CVE-2007-4559the vulnerability is located in tarfile unit Which Python programs use to read and write the Tar archive. The problem is with an error traversal path that can be exploited to overwrite arbitrary files on the system, resulting in potentially malicious code execution.

Ago Initial report Posted 15 years ago, the tarfile vulnerability has not received any fix or patch – just a warning about the current risks. To be fair, there have been no reports of attacks and security threats capable of exploiting CVE-2007-4559.

However, the flaw was recently recalled Posted by Trelix. While investigating an unrelated vulnerability, the researchers said they found the old bug in the tarfile module.

While discussing the case on Python bug tracker, the developers again concluded that CVE-2007-4559 is not a bug: the developers said “ does nothing wrong”, and there is no “known or possible workable exploit”. The official Python documentation has been updated again, with a warning about the potential risk related to extracting archives from untrusted sources.

However, the researchers at Trellix have a completely different view of the issue: CVE-2007-4559 is indeed a security vulnerability, they said. As evidence, the researchers describe and demonstrate a simple exploit to take advantage of the flaw in the Spyder development environment for scientific programming.

Trellix also looked at the prevalence of CVE-2007-4559, analyzing both closed and open source projects. They initially found a vulnerability rate of 61 percent in 257 different token repositories, increasing the percentage to 65 percent after an automated scan and finally analyzing a larger data set of 588,840 unique repositories hosted on Github.

All things considered, Trellix estimates that there could be over 350,000 projects vulnerable to CVE-2007-4559, with many of these projects being used by machine learning tools to help developers complete a project faster. By taking a stand on this issue, researchers have already created patches for about 11,000 projects, and many more should follow in the coming weeks.

Source link

Related Posts