Potential secutiry vulnerability in the C library which asmc-preparedecoding depends on. Can you help upgrade to patch versions?

[andy201709]

Hi, @fcooper8472 , @abhidg , I'd like to report a vulnerability issue in asmc-preparedecoding_2.2.2.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph, asmc-preparedecoding_2.2.2 directly or transitively depends on 3 C libraries (.so). However, I noticed that one of C libraries is vulnerable, containing the following CVEs: libgmp-afec2dd4.so.10.2.0 from C project gmp(version: 6.2.0) exposed a vulnerability:
CVE-2021-43618

Suggested Vulnerability Patch Versions

No official patch version released, but gmp has fixed the vulnerability in patch.

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (asmc-preparedecoding has 6,524 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

[fcooper8472]

I believe this has been resolved in 2.2.3, which uses a patched version of gmp.

Not that it matters, but I'm not sure 6,500 downloads a month is even close to correct. I'd be surprised if it's 6,500 ever, judging by these stats: https://pypistats.org/packages/asmc-preparedecoding