Potential secutiry vulnerabilities in the C libraries which PyMeshLab depends on. Can you help upgrade to patch versions?

[MikeWazoWski123]

Hi, @alemuntoni , @jmespadero, I'd like to report a vulnerability issue in pymeshlab_2022.2.post2.

Issue Description

pymeshlab_2022.2.post2 directly or transitively depends on 123 C libraries (.so)(I download it from PyPI). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libbsd.so.0from C project libbsd(version:0.8.7) exposed 1 vulnerabilities: CVE-2019-20367 libgcrypt.so.20 from C project libgcrypt20(version:1.8.1) exposed 1 vulnerabilities: CVE-2018-0495 libgssapi_krb5.so.2, libk5crypto.so.3, libkrb5support.so.0 and libkrb5.so.3 from C project krb5(version:1.16) exposed 2 vulnerabilities: CVE-2021-37750, CVE-2021-36222 libicudata.so.60 and libicuuc.so.60 from C project icu(version:60.2) exposed 1 vulnerabilities: CVE-2020-21913 liblz4.so.1 from C project lz4(version:r131) exposed 1 vulnerabilities: CVE-2019-17543 libsystemd.so.0 from C project systemd(version:237) exposed 15 vulnerabilities: CVE-2018-15686, CVE-2018-15688, CVE-2018-15687, CVE-2018-16866, CVE-2018-16865, CVE-2018-16864, CVE-2021-33910, CVE-2020-1712, CVE-2020-13776, CVE-2019-3843, CVE-2019-3844, CVE-2019-3842, CVE-2018-6954, CVE-2013-4392, CVE-2019-20386

Suggested Vulnerability Patch Versions

libbsd has fixed the vulnerabilities in versions >=0.10.0 libgcrypt20 has fixed the vulnerabilities in versions >=1.8.3 krb5 has fixed the vulnerabilities in versions >=1.19.3 icu has fixed the vulnerabilities in versions >=67 systemd has fixed the vulnerabilities in versions >=250 lz4 has fixed the vulnerabilities in versions >=1.9.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (pymeshlab has 20,162 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, MikeWazowski

[alemuntoni]

Hi @MikeWazoWski123, thanks for reporting this. The pymeshlab deployment system on linux is based on linuxdeploy, and it is run on the oldest still-supported distro. In this way, it will be possible to run pymeshlab on almost all the still-supported linux distributions. In our case, pymeshlab is built on ubuntu 18.04, which is the system that github actions provides for us. In this build, I run apt-get upgrade before build and deploy pymeshlab, and therefore packages are updated to the last version available in ubuntu 18.04. However it seems that libraries are not updated to the versions you are referring. Is it possible that security patches are not applied on ubuntu 18.04? And in this case, how do you suggest to solve the issue? I can't deploy using a newer distro of ubuntu, since it seems that breaks compatibility with ubuntu 18.04.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. The resources of the VCLab team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the last release of PyMeshLab, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. The resources of the VCLab team are limited, and so we are asking for your help. If this is a bug and you can still reproduce this error on the last release of PyMeshLab, please reply with all of the information you have about it in order to keep the issue open. If this is a feature request, and you feel that it is still relevant and valuable, please tell us why. This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.