The issue about the directory traversal vulnerability in the tarfile module has existed since 2007. It was closed with a note in the documentation.
Cybersecurity company Trellix has discovered a fifteen-year-old vulnerability in a Python module. The one designed to process tar files tarfilemodule is vulnerable to directory traversal attacks in the unpack methods.
According to Trellix, which was created in early 2022 from the merger of McAfee and FireEye, the security researchers initially believed they had encountered a zero-day vulnerability. They apparently discovered the vulnerability by accident while investigating an independent vulnerability. However, the supposedly new vulnerability has a CVE entry (Common Vulnerabilities and Exposures) that dates back to 2007.
Known for fifteen years but not fixed
The directory traversal vulnerability is listed by the National Institute of Standards and Technology (NIST) as CVE-2007-4559. The functions are affected extract and extractall in the module tarfile.
The module uses the class Tarinfoto store metadata such as filenames, size, and checksums. An attack can modify the metadata in order to leave the current directory with the prefix “/” or “../” and to overwrite the password file with “../../../etc/passwd”, for example. The module does not offer a check for corresponding constructs.
Known for fifteen years but not fixed
The issue about the vulnerability has existed since August 2007 after a developer drew attention to it in an email. However, after only two days, the developers responsible came to the conclusion that this was not a security-related problem:
“After careful consideration and a private discussion with Martin, I no longer believe that we have a security problem. tarfile.py is doing nothing wrong, it is behaving according to the pax definition and the guidelines for pathname resolution in POSIX. A known or possible one practical exploit does not exist.”
They then closed the bug without changing the code, but added an additional warning to the documentation.
Affected projects and resubmission of the issue
How many projects are actually affected can only be estimated. Trellix estimates that the number of open source projects in the press release is a good 350,000, and closed source projects are also affected. tarfile is part of Python’s standard modules, and Trellix has found its use in Netflix, AWS, Intel, Facebook, and Google frameworks, as well as machine learning and Docker containerization applications.
Shortly after the vulnerability was announced, fresh comments on the associated issue were found. It is quite possible that someone will take care of the old problem.
More about Python
Further details on the vulnerability, the search for potentially affected projects and a demonstration of how to exploit the vulnerability in the Spyder IDE can be found in a blog post.
