Security News > 2022 > September > Alert: 15-year-old Python tarfile flaw lurks in 'over 350,000' code projects

At least 350,000 open source projects are believed to be potentially vulnerable to exploitation via a Python module flaw that has remained unfixed for 15 years.

Identified as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, in a Python mailing list post from Jan Matejek, who was at the time the Python package maintainer for SUSE. It can be exploited to potentially overwrite and hijack files on a victim's machine, when a vulnerable application opens a malicious tar archive via tarfile.

The tarfile directory traversal flaw was reported on August 29, 2007 by Tomas Hoger, a software engineer at Red Hat.

The company estimates the tarfile flaw can be found "In over 350,000 open-source projects and prevalent in closed-source projects." It also points out that tarfile is a default module in any Python project and is present in frameworks created by AWS, Facebook, Google, and Intel, and in applications for machine learning, automation, and Docker containers.

Trellix says it's working to make repaired code available to affected projects.

"Due to the size of vulnerable projects we expect to continue this process over the next few weeks. This is expected to hit 12.06 percent of all vulnerable projects, a little over 70K projects by the time of completion."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/22/python_vulnerability_tarfile/