- Notifications
You must be signed in to change notification settings - Fork7
Description
Get started
- I have readContributing guidelines.
- I have confirmed that my problem could not be solved by thetroubleshooting section in the documentation.
- I agree to follow theCode of Conduct.
- I have confirmed that my issue is not duplicated with an existing issue.
Description
Hi,@cainmagi , I'd like to report a vulnerability issue inmpegcoder_3.1.0b0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries),mpegcoder_3.1.0b0 directly or transitively depends on121 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:libm-2.31.solibm.so.6from C projectglibc(version:2.31) exposed11 vulnerabilities:
CVE-2020-10029,CVE-2020-6096,CVE-2020-1752,CVE-2020-29562,CVE-2021-27645,CVE-2020-27618,CVE-2021-3326,CVE-2021-33574,CVE-2019-25013,CVE-2021-38604,CVE-2021-35942libgssapi_krb5.so.2.2libgssapi_krb5.so.2libk5crypto.so.3.1libk5crypto.so.3libkrb5.so.3.3libkrb5.so.3libkrb5support.so.0.1libkrb5support.so.0 from C projectkrb5(version:1.17) exposed3 vulnerabilities:
CVE-2021-37750,CVE-2021-36222 ,CVE-2020-28196libopenmpt.so.0.1.1libopenmpt.so.0libopenmpt.sofrom C projectlibopenmpt(version:0.4.11) exposed3 vulnerabilities:
CVE-2017-11311,CVE-2018-10017,CVE-2018-6611libssh.so.4.8.4 ,libssh.so.4 andlibssh.sofrom C projectlibssh(version:0.9.3) exposed2 vulnerabilities:
CVE-2020-1730,CVE-2021-3634libvorbis.so.0.4.8,libvorbis.so.0 ,libvorbis.so,libvorbisenc.so.2.0.11,libvorbisenc.so.2,libvorbisenc.so,libvorbisfile.so.3.3.7libvorbisfile.so.3 andlibvorbisfile.so from C projectlibvorbis(version:1.3.6) exposed2 vulnerabilities:
CVE-2018-10393,CVE-2018-10392
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code)asn1_error_code decode_atype (const taginfo *t, const unsigned char *asn1, size_t len, const struct atype_info *a, void *val) inkrb5/asn.1/asn1_encode.c reported byCVE-2020-28196.
call chain -----PQsetnonblocking() -> pqFlush() -> pqSendSome() -> pqReadData() -> pqsecure_read() -> pgtls_read() -> ERR_clear_error() -> ERR_get_state() -> ossl_init_thread_start() -> OPENSSL_init_crypto() -> ENGINE_register_all_complete() -> ENGINE_register_complete() -> ENGINE_register_ciphers() -> engine_table_register() -> int_table_check() -> LHASH_OF() -> SortFnByName() -> FUNCTION() -> fn() -> ECPGconnect() -> PQconnectdbParams() -> PQconnectStartParams() -> connectDBStart() -> PQconnectPoll() -> pqDropConnection() -> gss_release_cred() -> gssint_get_mechanism() -> gssint_mechglue_initialize_library() -> gssint_mechglue_init() -> gss_krb5int_lib_init() -> gss_iakerbmechglue_init() -> iakerb_gss_accept_sec_context() -> krb5_gss_accept_sec_context_ext() -> kg_accept_krb5() -> krb5_gss_acquire_cred() -> acquire_cred() -> acquire_cred_context() -> acquire_init_cred() -> maybe_get_initial_cred() -> get_initial_cred() -> krb5_get_init_creds_password() -> k5_get_init_creds() -> krb5_init_creds_init() -> krb5_string_to_deltat() -> yyparse() -> make_op() -> exprType() -> get_promoted_array_type() -> get_array_type() -> SearchSysCache1() -> SearchCatCache1() -> SearchCatCacheInternal() -> CatalogCacheInitializeCache() -> table_open() -> relation_open() -> LockRelationOid() -> LockAcquireExtended() -> LogAccessExclusiveLockPrepare() -> GetCurrentTransactionId() -> AssignTransactionId() -> GetNewTransactionId() -> ExtendCLOG() -> ZeroCLOGPage() -> SimpleLruZeroPage() -> SlruSelectLRUPage() -> SlruInternalWritePage() -> SlruPhysicalWritePage() -> XLogFlush() -> XLogWrite() -> RequestCheckpoint() -> CreateCheckPoint() -> CheckPointGuts() -> CheckPointBuffers() -> BufferSync() -> CheckpointWriteDelay() -> UpdateSharedMemoryConfig() -> UpdateFullPageWrites() -> XLogInsert() -> XLogRecordAssemble() -> upper() -> str_toupper() -> pg_newlocale_from_collation() -> SysCacheGetAttr() -> InitCatCachePhase2() -> index_close() -> RelationClose() -> RelationClearRelation() -> RelationReloadNailed() -> RelationInitPhysicalAddr() -> ScanPgRelation() -> ScanKeyInit() -> fmgr_info() -> fmgr_info_cxt_security() -> fmgr_sql() -> init_sql_fcache() -> get_call_result_type() -> internal_get_result_type() -> lookup_rowtype_tupdesc_copy() -> lookup_rowtype_tupdesc_internal() -> lookup_type_cache() -> load_domaintype_info() -> expression_planner() -> eval_const_expressions() -> eval_const_expressions_mutator() -> expand_function_arguments() -> recheck_cast_function_args() -> make_fn_arguments() -> coerce_type() -> coerce_to_domain() -> coerce_type_typmod() -> exprTypmod() -> exprIsLengthCoercion() -> func() -> krb5_tkt_creds_get() -> krb5_tkt_creds_step() -> get_creds_from_tgs_reply() -> krb5int_process_tgs_reply() -> krb5int_decode_tgs_rep() -> krb5_kdc_rep_decrypt_proc() -> decode_krb5_enc_kdc_rep_part() -> k5_asn1_full_decode() -> decode_atype_to_ptr() -> decode_sequence_of() -> decode_atype()Suggested Vulnerability Patch Versions
glibc has fixed the vulnerabilities in versions>=2.35
krb5 has fixed the vulnerabilities in versions>=1.19.3
libopenmpt has fixed the vulnerabilities in versions>=0.3.8
libssh has fixed the vulnerabilities in versions>=0.9.6
libvorbis has fixed the vulnerabilities in versions>=1.3.7
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package, could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski
To Reproduce
- Get package from '...'
- Then run '...'
- An error occurs.
Traceback
No response
Behaviors
- The expected behaviors:
- The actual behaviors:
Screenshots
No response
OS
Ubuntu18.04
Python version
3.7
numpy version
none
mpegCoder version
3.1.0
Additional context
No response