Treliix fixes 62,000 open-source projects vulnerable to a 15-year-old flaw
According to the Trellix research team, they patched nearly 62,000 open-source projects that were vulnerable to a 15-year-old path traversal vulnerability in the Python programming ecosystem.
The organization stated that the CVE-2007-4559 vulnerability, which has been present in Python systems for over 15 years, put an estimated 350,000 open source projects at risk. The path traversal vulnerability, which has been widely discovered in frameworks developed by AWS, Facebook, Google, and Intel, has the potential to allow threat actors to overwrite arbitrary files, potentially leading to device override and control.
Since the discovery in September, Trellix has patched 61,895 projects via the software development platform GitHub, with the work led by Kasimir Schulz and Charles McFarland.
Trellix said its team was inspired to patch the vulnerabilities by Jonathan Leitschuh’s DEFCON 2022 talk on fixing vulnerabilities at scale. It went on to say that its Advanced Research Center vulnerability team was able to automate the majority of the processes, with the exception of quality control. And it divided the process into two steps: patching and pull requests, both of which were automated and only needed to be executed.
“GitHub was a great partner in this process,” Trellox said. “After receiving a list of repositories and files that contained the keyword, “import tarfile,” our team was able to compile a unique list of repositories to scan. We could not have executed this large-scale effort without quick delivery of actionable data from GitHub.”
After receiving the list, the team used Creosote, a free tool they created for developers to check if their applications are vulnerable, to determine which repositories needed to be patched. After identifying a vulnerable repository, the team patched the file and created a local patch diff so users could compare the two files. The team then moved on to the pull request phase, first going over a list of local patch diffs and then forking the repository on GitHub. If the original file had not changed after cloning the fork, they replaced it with the patched file.
The vulnerable tarfile module is included in the base Python package and is a readily available solution for a common problem; however, it is also firmly embedded in the supply chain of many projects in the absence of a direct fix from Python.
The sources for this piece include an article in SCmagazine.