Did you know we offer a price match guarantee?

  • Toggle navigation
logologo

Check your Toolchain

Python is popular, and so is the problem

Python Tarfile module Vulnerability
So popular in fact, it is the most popular programming language on Github by Pull Requests (Githut 2.0, 2022), having overtaken JavaScript late last year, and has the largest calculated market share of 17.08%, up 5.81% on the previous year (TIOBE Index, 2022).

The Problem

CVE-2007-4559

User-assisted remote attackers can overwrite arbitrary files via a filename ".." sequence in TAR archives via the extract and extractall functions in the tarfile module.

A ".." sequence vulnerability is an example of directory traversal, caused by code not sanitising the given path, in this case where the module is to extract from.

SCOPE

The exploit is 15 years old.

The exploit affects some 350,000 open-source projects.

How many closed sources are affected?

The Solution

The official documentation reminds us of the obvious: don't trust unknown sources.

python tarfile advice

To automate the process, there is a recursive script that searches and scans python files for the tarfile vulnerability: Creosote

Recent Posts

Categories