The Trellix research team said they have patched nearly 62,000 open-source projects that were susceptible to a 15-year-old path traversal vulnerability in the Python programming ecosystem.
The team identified the bug, tracked under CVE-2007-4559, in Python’s tarfile module late last year. It was first reported to the Python project in 2007 but left unchecked. Since then, it’s presence has greatly expanded as it has been used in approximately 350,000 open-source projects and countless other closed-source or proprietary software projects.
To minimize the vulnerability surface area the team drew inspiration from security researcher Jonathan Leitschuh’s DEFCON 2022 talk on fixing vulnerabilities at scale, spending months conducting automated patching to close the vulnerability in 61,895 open-source projects, according to a Jan. 23 Trellix blog post.
As many open-source projects lack dedicated staff and resources, mass patching and automated patching can be an effective tool for lessening the attack surface. While still a relatively new concept, with the first major real-world application introduced by Leitschuh last year, Trellix researchers told SC Media that their successful patch this time paves the way for the open-source community to leverage similar tactics in the future to better defend their projects from potential exploitation.
