Closed andy201709 closed 2 years ago
I assume you're referring to the digital-rf wheels available through PyPI. I have just built new ones against hdf5 1.12.1 and they are now on PyPI, so that should take care of it. The conda packages are already built against hdf5 1.12.1. Let me know if there's still an issue.
Dear @ryanvolz , thank you very much for your help. May I ask you two more questions? Do you realize these types of vulnerablity issues induced by cross-language invocations?
Do you use any tools to help check whether your projects introduce vulnerable libraries implemented in other programming languages? Would such tool be useful for maintaining projects?
Best regards, Andy
Hi, @ryanvolz, @jswoboda , I'd like to report a vulnerability issue in digital-rf_2.6.7.
Dependency Graph between Python Project and Shared Libraries
Issue Description
As shown in the above dependency graph, digital-rf_2.6.7 directly or transitively depends on 5 C libraries (.so). However, I noticed that one of these C libraries is vulnerable, containing the following CVEs:
libhdf5-9db0017c.so.103.1.0
from C project hdf5(version:1.10.6) exposed 4 vulnerabilities:CVE-2020-10812, CVE-2020-10811, CVE-2020-10810, CVE-2020-10809.
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.
Suggested Vulnerability Patch Versions
hdf5 has fixed the vulnerabilities in versions >=1.12.1
Python build tools cannot easily report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (digital-rf has 21,908 downloads per month), could you please upgrade the above shared library to its patch version?
Thanks for your help~ Best regards, Andy