FAST
FAST copied to clipboard
Vulnerable shared libraries might make pyFAST vulnerable. Can you help upgrade to patch versions?
Hi, @smistad , @andreped , I'd like to report a vulnerability issue in pyfast_4.3.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), pyfast_4.3.0 directly or transitively depends on 81 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libdcmdata.so.13
, libdcmimgle.so.13
, liboflog.so.13
and libofstd.so.13
from C project dcmtk(version:3.6.2) exposed 1 vulnerabilities:
CVE-2019-1010228
libgdk_pixbuf-2.0.so.0
from C project gdk-pixbuf(version:2.36.11) exposed 4 vulnerabilities:
CVE-2021-20240, CVE-2017-6313, CVE-2017-6312, CVE-2017-6314
libhdf5.so.103
and libhdf5_cpp.so.103
from C project hdf5(version:1.10.6) exposed 4 vulnerabilities:
CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809
libicudata.so.60
and libicuuc.so.60
from C project icu(version:60.2) exposed 1 vulnerabilities:
CVE-2020-21913
libjpeg.so.8
from C project libjpeg-turbo(version:1.5.2) exposed 2 vulnerabilities:
CVE-2018-14498, CVE-2017-15232
libopenjp2.so.7
from C project openjpeg2(version:2.3.0) exposed 8 vulnerabilities:
CVE-2020-6851, CVE-2020-27824, CVE-2020-27823, CVE-2018-18088, CVE-2018-14423, CVE-2018-6616, CVE-2018-5785, CVE-2017-17480
libxml2.so.2
from C project libxml2(version:2.9.4) exposed 22 vulnerabilities:
CVE-2016-4658, CVE-2016-1838, CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517,CVE-2019-19956, CVE-2018-14404, CVE-2017-18258, CVE-2017-5130, CVE-2017-15412, CVE-2017-7375, CVE-2017-7376, CVE-2017-9050, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-8872, CVE-2017-5969, CVE-2016-9318, CVE-2017-16931, CVE-2017-16932
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.
call chain-----
H5Literate_by_name()->H5G_iterate()->H5G__obj_iterate()->H5G__dense_iterate()->H5HF_open()->H5HF_close()->H5HF_space_close()->H5FS_close()->H5FS_decr()->H5AC_unpin_entry()
Suggested Vulnerability Patch Versions
dcmtk has fixed the vulnerabilities in versions >=3.6.4 gdk-pixbuf has fixed the vulnerabilities in versions >=2.42.0 hdf5 has fixed the vulnerabilities in versions >=1.12.1 libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0 icu has fixed the vulnerabilities in versions >=67-1 openjpeg2 has fixed the vulnerabilities in versions >=2.4.0 libxml2 has fixed the vulnerabilities in versions >=2.9.11
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (pyfast has 2,048 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, MikeWazowski
Thanks @MikeWazoWski123 for your analysis. We will try to update these libraries in future releases.