A Python that may Swallow 350K Open Source projects

A recent report said that as many as 350,000 open source projects could be at risk due to a module in Python that has remained unfixed for nearly 15 years. A security firm researchers said the issue is actually 5,500 days old with the bug actually living its best life for the past decade and half awaiting extinction. 

Security firm Trellix, quoted by The Register said its threat researchers encountered the vulnerability in Python’s tariff module – one that provides means to read and write compressed bundles of files known to the techies as tar archives. The same has been identified as CVE-2007-4559, and appears to have existed since August 2007. 

The bug was identified in a Python mailing list post from Jan Matejek, who was the package maintainer for Python for SUSE. The bug could potentially overwrite and hijack files on a machine when a vulnerable application opens a malicious tar archive via tarfile, the report said. 

Kasimir Schulz, a vulnerability researcher at Trellix explained in a blog post, published on September 21, that the tarfile allows developers to add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. “This enables attackers to create their exploits with as little as the 6 lines of code,” he added.

Schulz reiterated that the vulnerability is “incredibly easy” to exploit. “Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world,” warned Schulz.