MITHaystack / digital_rf

Read, write, and interact with data in the Digital RF and Digital Metadata formats
Other
102 stars 31 forks source link

Could you help upgrade the vulnerble shared library introduced by package digital_rf? #40

Closed andy201709 closed 2 years ago

andy201709 commented 2 years ago

Hi, @ryanvolz, @jswoboda , I'd like to report a vulnerability issue in digital-rf_2.6.7.

Dependency Graph between Python Project and Shared Libraries

digital-rf_2 6 7

Issue Description

As shown in the above dependency graph, digital-rf_2.6.7 directly or transitively depends on 5 C libraries (.so). However, I noticed that one of these C libraries is vulnerable, containing the following CVEs: libhdf5-9db0017c.so.103.1.0 from C project hdf5(version:1.10.6) exposed 4 vulnerabilities:
CVE-2020-10812, CVE-2020-10811, CVE-2020-10810, CVE-2020-10809.

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.

call chain-----
H5Literate_by_name()->H5G_iterate()->H5G__obj_iterate()->H5G__dense_iterate()->H5HF_open()->H5HF_close()->H5HF_space_close()->H5FS_close()->H5FS_decr()->H5AC_unpin_entry()

Suggested Vulnerability Patch Versions

hdf5 has fixed the vulnerabilities in versions >=1.12.1

Python build tools cannot easily report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (digital-rf has 21,908 downloads per month), could you please upgrade the above shared library to its patch version?

Thanks for your help~ Best regards, Andy

ryanvolz commented 2 years ago

I assume you're referring to the digital-rf wheels available through PyPI. I have just built new ones against hdf5 1.12.1 and they are now on PyPI, so that should take care of it. The conda packages are already built against hdf5 1.12.1. Let me know if there's still an issue.

andy201709 commented 2 years ago

Dear @ryanvolz , thank you very much for your help. May I ask you two more questions? Do you realize these types of vulnerablity issues induced by cross-language invocations?

Do you use any tools to help check whether your projects introduce vulnerable libraries implemented in other programming languages? Would such tool be useful for maintaining projects?

Best regards, Andy