Known vulnerabilities in the C library openssl which sqlcipher3 depends on. Can you help upgrade to patch versions?

[andy201709]

Hi, @coleifer, @boldx , I'd like to report a vulnerability issue in sqlcipher3-binary_0.4.5.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph, sqlcipher3-binary_0.4.5 directly or transitively depends on 2 C libraries (.so). However, I noticed that a C library is vulnerable, containing the following CVEs: libcrypto-44dc4d8b.so.1.1.1b from C project openssl(version:1.1.1) exposed 9 vulnerabilities: CVE-2021-3711,CVE-2021-3712,CVE-2019-1549, CVE-2019-1543,CVE-2018-0735,CVE-2020-7041, CVE-2020-7043,CVE-2020-7042,CVE-2019-1552

Furthermore, the vulnerable methods in these vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain starting from SSL_CTX_load_verify_locations() can reach the vulnerable method EC_GROUP_new_from_ecparameters() <EC_GROUP *EC_GROUP_new_from_ecparameters (const ECPARAMETERS *params) in crypto/ec/ec_asn1.c reported by CVE-2021-3712:

call chain -----
SSL_CTX_load_verify_locations() -> X509_STORE_load_locations() -> X509_STORE_add_lookup() -> STACK_OF() -> PEM_X509_INFO_read_bio() -> d2i_ECPrivateKey() -> EC_GROUP_new_from_ecpkparameters() -> EC_GROUP_new_from_ecparameters()

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (sqlcipher3-binary has 3,693 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

[coleifer]

How do these vulnerabilities actually affect the library code as it used by sqlcipher?