1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This ancient unpatched Python security flaw could leave thousands

    From TechnologyDaily@1337:1/100 to All on Thu Sep 22 20:45:03 2022
    This ancient unpatched Python security flaw could leave thousands of projects vulnerable

    Date:
    Thu, 22 Sep 2022 19:32:24 +0000

    Description:
    Researchers warn of widespread issues with Python following resurgence of now-teenage security flaw.

    FULL STORY ======================================================================

    A rather old unpatched Python security vulnerability has resurfaced, causing researchers to warn that hundreds of thousands of projects might be
    vulnerable to code execution.

    Cybersecurity researchers from Trellix have recently spotted CVE-2007-4559, a flaw in the Python tarfile package, first discovered back in 2007.

    However, back then, the flaw never received a patch, but rather just a
    warning published in a security bulletin. Identifying vulnerable projects

    The vulnerability is in code that uses un-sanitized tarfile.extract() function, or the built-in defaults of tarfileextractall(). Its a path traversal bug that enables an attacker to overwrite arbitrary files, the publication wrote.

    Now, researchers are saying, the flaw gives a bad actor access to the file system. Pythons bug tracker was updated with an announcement of a closed issue, with a further addition that it might be dangerous to extract archives from untrusted sources. The flaw is abusable both on Windows, and on Linux,
    it was said.

    Fifteen years is a long time, and apparently, some 350,000 projects might be vulnerable. Trellixs researchers first took a sample of 257 repositories(61%) were vulnerable. An automated analysis came back with a 65% positive rate. Read more

    Check out the best endpoint protection tools right now


    Python is about to solve one of its most frustrating issues


    Python programming libraries found hiding security threats

    Then, together with GitHub, Trellixs researchers found 588,840 unique repositories that include import tarfile in its Python code, which drew them to the conclusion that 350,000 (or roughly 61%), might be vulnerable.

    The problem is present in a vast number of industries, the researchers
    further found. The development sector is, unsurprisingly, the most impacted one, followed by web and machine learning technology.

    Trellixs researchers issued fixes for some 11,000 projects, available as a fork of the affected repository. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should get their fixes within a couple of weeks, but for all to be remedied, its going to take a little while. Here's our rundown of the best firewalls around



    ======================================================================
    Link to news story: https://www.techradar.com/news/this-ancient-unpatched-python-security-flaw-cou ld-leave-thousands-of-projects-vulnerable/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)