Vulnerable shared libraries might make pyFAST vulnerable. Can you help upgrade to patch versions?

[MikeWazoWski123]

Hi, @smistad , @andreped , I'd like to report a vulnerability issue in pyfast_4.3.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), pyfast_4.3.0 directly or transitively depends on 81 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libdcmdata.so.13, libdcmimgle.so.13, liboflog.so.13 and libofstd.so.13from C project dcmtk(version:3.6.2) exposed 1 vulnerabilities: CVE-2019-1010228 libgdk_pixbuf-2.0.so.0 from C project gdk-pixbuf(version:2.36.11) exposed 4 vulnerabilities: CVE-2021-20240, CVE-2017-6313, CVE-2017-6312, CVE-2017-6314 libhdf5.so.103 and libhdf5_cpp.so.103 from C project hdf5(version:1.10.6) exposed 4 vulnerabilities: CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809 libicudata.so.60 and libicuuc.so.60 from C project icu(version:60.2) exposed 1 vulnerabilities: CVE-2020-21913 libjpeg.so.8from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities: CVE-2018-14498, CVE-2017-15232 libopenjp2.so.7 from C project openjpeg2(version:2.3.0) exposed 8 vulnerabilities: CVE-2020-6851, CVE-2020-27824, CVE-2020-27823, CVE-2018-18088, CVE-2018-14423, CVE-2018-6616, CVE-2018-5785, CVE-2017-17480 libxml2.so.2 from C project libxml2(version:2.9.4) exposed 22 vulnerabilities: CVE-2016-4658, CVE-2016-1838, CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517,CVE-2019-19956, CVE-2018-14404, CVE-2017-18258, CVE-2017-5130, CVE-2017-15412, CVE-2017-7375, CVE-2017-7376, CVE-2017-9050, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-8872, CVE-2017-5969, CVE-2016-9318, CVE-2017-16931, CVE-2017-16932

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.

call chain-----
H5Literate_by_name()->H5G_iterate()->H5G__obj_iterate()->H5G__dense_iterate()->H5HF_open()->H5HF_close()->H5HF_space_close()->H5FS_close()->H5FS_decr()->H5AC_unpin_entry()

Suggested Vulnerability Patch Versions

dcmtk has fixed the vulnerabilities in versions >=3.6.4 gdk-pixbuf has fixed the vulnerabilities in versions >=2.42.0 hdf5 has fixed the vulnerabilities in versions >=1.12.1 libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0 icu has fixed the vulnerabilities in versions >=67-1 openjpeg2 has fixed the vulnerabilities in versions >=2.4.0 libxml2 has fixed the vulnerabilities in versions >=2.9.11

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (pyfast has 2,048 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, MikeWazowski

[smistad]

Thanks @MikeWazoWski123 for your analysis. We will try to update these libraries in future releases.