Python is a programming language that has been gaining strength in recent years thanks to the ease it has when applying it on a day-to-day basis, and also how easy it can be to learn it. Yes ok, not even programming languages can be exempt from security flawsas has happened with Python.
Although it may seem unbelievable, this security flaw was reported in 2007 and labeled as CVE-2007-4559 and has not received any type of patch since then. Specifically, the vulnerability uses the tarfile.extract() function that would allow any type of attacker to overwrite the files of other projects.
An unpatched security flaw since 2007
This problem was analyzed by different researchers who despite finding the report announcing this error, they did not find the possible solution. In this case, they went to work to finally detect thousands of software projects, open or closed source.
After detecting it, they managed to eliminate more than 257 repositories that had a good chance of integrating the vulnerable code which would end up fraudulently overwriting the content of the projects. This was also added to both a manual and automatic analysis, detecting that 65% of these presented the vulnerability, although with a really low sample.
In the case of extrapolating this percentage to all the repositories, it can be said that there are a total of 350,000 vulnerable repositorieswith the majority being integrated into machine learning tools.
All affected tools are automated and therefore use these repositories to offer autocomplete options. In the case of entering a completely insecure code, this will be integrated into the project itself without the developer knowing itsince you will have absolute freedom to overwrite it.
At the moment, there is no general solution for all the repositories that are affected due to the high volume that exists. The researchers are going to try to release their own patches, fixing this problem in 70,000 projects for the next few weeks. Although, this serious Python problem should have been patched since it was discovered in 2007, since it has remained “hidden” affecting so many projects.
Via | bleeping computer