search

fofix / python-mixstream

C-extension in Python to combine SoundTouch and SDL_mixer
GNU General Public License v2.0
0 stars 1 forks source link

Potential security vulnerability in the libvorbis C library #35

Open JoeGardner000 opened 2 years ago

JoeGardner000 commented 2 years ago

Hi, @Linkid , I'd like to report a vulnerability issue in mixstream_1.1.0.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), mixstream_1.1.0 directly or transitively depends on 5 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVE: libvorbisfile-c5d289a9.so.3.3.5from C project libvorbis(version:1.3.2) exposed 1 vulnerability: CVE-2020-20412

Suggested Vulnerability Patch Versions

libvorbis has fixed the vulnerabilities in versions >=1.3.6

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (mixstream has 1,887 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Jor Gardner

Linkid commented 2 years ago

Hi! Thanks for the report !

Linkid commented 2 years ago

The version of this lib in CentOS 7 does not contain a patch for that. As some wheels are built with CentOS 7, it will be not fixed. Moreover, this CVE is really specific to StepMania and is local. So this is not a big one for us. So, this issue will be solved by itself when CentOS 7 will not be used anymore.