PyCon AU 2025

Caleb Brown

Caleb is a Senior Software Engineer working for Google's Open Source Security Team. At Google he contributes to deps.dev and maintains a repository of malicious package reports for open source packages. Caleb has been using Python for over 15 years, starting with build Django sites at publishing companies.

What is your Bluesky handle?:

@calebbrown.bsky.social


Session

09-14
13:30
30min
Unarchiving vulnerabilities and avoiding tar-pits
Caleb Brown

I found some vulnerabilities in Python's standard library, and now you've all had to upgrade your Python. Sorry, not sorry.

My day job is focused on open source and software supply chain security. This has made me curious - how trustworthy even are the core technologies our ecosystems are built on - like 46 year old archiving formats?

So after I read a vulnerability report that exploited symlinks in TAR files, I wondered whether Python suffered the same problem. I started poking around and ended up finding an arbitrary write path traversal in Python's standard library.

This talk will provide a detailed look at this vulnerability and demonstrate how it can be exploited by an attacker to compromise an exposed system.

I’ll also discuss how these vulnerabilities demonstrate key security challenges facing developers while building their projects. The challenges range from the different incentives between libraries and their applications, the limits of abstractions, and the difficulties of hardening legacy code.

With movement towards more regulation, like the EU's Cyber Resilience Act, and more interest in improving software security, appreciating these security challenges can help developers focus more on building exciting projects than mitigating vulnerabilities.

Main Conference
Ballroom 1