Description
Get started
- I have read Contributing guidelines.
- I have confirmed that my problem could not be solved by the troubleshooting section in the documentation.
- I agree to follow the Code of Conduct.
- I have confirmed that my issue is not duplicated with an existing issue.
Description
Hi, @cainmagi , I'd like to report a vulnerability issue in mpegcoder_3.1.0b0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), mpegcoder_3.1.0b0 directly or transitively depends on 121 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libm-2.31.so libm.so.6from C project glibc(version:2.31) exposed 11 vulnerabilities:
CVE-2020-10029, CVE-2020-6096, CVE-2020-1752, CVE-2020-29562, CVE-2021-27645, CVE-2020-27618, CVE-2021-3326, CVE-2021-33574, CVE-2019-25013, CVE-2021-38604, CVE-2021-35942
libgssapi_krb5.so.2.2 libgssapi_krb5.so.2 libk5crypto.so.3.1 libk5crypto.so.3 libkrb5.so.3.3 libkrb5.so.3 libkrb5support.so.0.1 libkrb5support.so.0 from C project krb5(version:1.17) exposed 3 vulnerabilities:
CVE-2021-37750, CVE-2021-36222 ,CVE-2020-28196
libopenmpt.so.0.1.1 libopenmpt.so.0 libopenmpt.sofrom C project libopenmpt(version:0.4.11) exposed 3 vulnerabilities:
CVE-2017-11311, CVE-2018-10017, CVE-2018-6611
libssh.so.4.8.4 ,libssh.so.4 and libssh.sofrom C project libssh(version:0.9.3) exposed 2 vulnerabilities:
CVE-2020-1730, CVE-2021-3634
libvorbis.so.0.4.8, libvorbis.so.0 ,libvorbis.so, libvorbisenc.so.2.0.11, libvorbisenc.so.2, libvorbisenc.so, libvorbisfile.so.3.3.7 libvorbisfile.so.3 and libvorbisfile.so from C project libvorbis(version:1.3.6) exposed 2 vulnerabilities:
CVE-2018-10393, CVE-2018-10392
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) asn1_error_code decode_atype (const taginfo *t, const unsigned char *asn1, size_t len, const struct atype_info *a, void *val) in krb5/asn.1/asn1_encode.c reported by CVE-2020-28196.
call chain -----
PQsetnonblocking() -> pqFlush() -> pqSendSome() -> pqReadData() -> pqsecure_read() -> pgtls_read() -> ERR_clear_error() -> ERR_get_state() -> ossl_init_thread_start() -> OPENSSL_init_crypto() -> ENGINE_register_all_complete() -> ENGINE_register_complete() -> ENGINE_register_ciphers() -> engine_table_register() -> int_table_check() -> LHASH_OF() -> SortFnByName() -> FUNCTION() -> fn() -> ECPGconnect() -> PQconnectdbParams() -> PQconnectStartParams() -> connectDBStart() -> PQconnectPoll() -> pqDropConnection() -> gss_release_cred() -> gssint_get_mechanism() -> gssint_mechglue_initialize_library() -> gssint_mechglue_init() -> gss_krb5int_lib_init() -> gss_iakerbmechglue_init() -> iakerb_gss_accept_sec_context() -> krb5_gss_accept_sec_context_ext() -> kg_accept_krb5() -> krb5_gss_acquire_cred() -> acquire_cred() -> acquire_cred_context() -> acquire_init_cred() -> maybe_get_initial_cred() -> get_initial_cred() -> krb5_get_init_creds_password() -> k5_get_init_creds() -> krb5_init_creds_init() -> krb5_string_to_deltat() -> yyparse() -> make_op() -> exprType() -> get_promoted_array_type() -> get_array_type() -> SearchSysCache1() -> SearchCatCache1() -> SearchCatCacheInternal() -> CatalogCacheInitializeCache() -> table_open() -> relation_open() -> LockRelationOid() -> LockAcquireExtended() -> LogAccessExclusiveLockPrepare() -> GetCurrentTransactionId() -> AssignTransactionId() -> GetNewTransactionId() -> ExtendCLOG() -> ZeroCLOGPage() -> SimpleLruZeroPage() -> SlruSelectLRUPage() -> SlruInternalWritePage() -> SlruPhysicalWritePage() -> XLogFlush() -> XLogWrite() -> RequestCheckpoint() -> CreateCheckPoint() -> CheckPointGuts() -> CheckPointBuffers() -> BufferSync() -> CheckpointWriteDelay() -> UpdateSharedMemoryConfig() -> UpdateFullPageWrites() -> XLogInsert() -> XLogRecordAssemble() -> upper() -> str_toupper() -> pg_newlocale_from_collation() -> SysCacheGetAttr() -> InitCatCachePhase2() -> index_close() -> RelationClose() -> RelationClearRelation() -> RelationReloadNailed() -> RelationInitPhysicalAddr() -> ScanPgRelation() -> ScanKeyInit() -> fmgr_info() -> fmgr_info_cxt_security() -> fmgr_sql() -> init_sql_fcache() -> get_call_result_type() -> internal_get_result_type() -> lookup_rowtype_tupdesc_copy() -> lookup_rowtype_tupdesc_internal() -> lookup_type_cache() -> load_domaintype_info() -> expression_planner() -> eval_const_expressions() -> eval_const_expressions_mutator() -> expand_function_arguments() -> recheck_cast_function_args() -> make_fn_arguments() -> coerce_type() -> coerce_to_domain() -> coerce_type_typmod() -> exprTypmod() -> exprIsLengthCoercion() -> func() -> krb5_tkt_creds_get() -> krb5_tkt_creds_step() -> get_creds_from_tgs_reply() -> krb5int_process_tgs_reply() -> krb5int_decode_tgs_rep() -> krb5_kdc_rep_decrypt_proc() -> decode_krb5_enc_kdc_rep_part() -> k5_asn1_full_decode() -> decode_atype_to_ptr() -> decode_sequence_of() -> decode_atype()
Suggested Vulnerability Patch Versions
glibc has fixed the vulnerabilities in versions >=2.35
krb5 has fixed the vulnerabilities in versions >=1.19.3
libopenmpt has fixed the vulnerabilities in versions >=0.3.8
libssh has fixed the vulnerabilities in versions >=0.9.6
libvorbis has fixed the vulnerabilities in versions >=1.3.7
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package, could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
MikeWazowski
To Reproduce
- Get package from '...'
- Then run '...'
- An error occurs.
Traceback
No response
Behaviors
- The expected behaviors:
- The actual behaviors:
Screenshots
No response
OS
Ubuntu18.04
Python version
3.7
numpy version
none
mpegCoder version
3.1.0
Additional context
No response