Several vulnerabilities in the C library which pyopencap depends on. Could you help upgrade to patch versions?

[MikeWazoWski123]

Hi, @gayverjr , I'd like to report a vulnerability issue in pyopencap_1.2.1.post1.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), pyopencap_1.2.1.post1 directly or transitively depends on 3 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs: libhdf5-249516a5.so.103.1.0from C project hdf5(version:1.10.6) exposed 4 vulnerabilities: CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.

call chain-----
H5Literate_by_name()->H5G_iterate()->H5G__obj_iterate()->H5G__dense_iterate()->H5HF_open()->H5HF_close()->H5HF_space_close()->H5FS_close()->H5FS_decr()->H5AC_unpin_entry()

Suggested Vulnerability Patch Versions

hdf5 has fixed the vulnerabilities in versions >=1.12.1

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (pyopencap has 4,187 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, MikeWazowski

[gayverjr]

Thank you for reporting this issue. There were some compatibility issues with the H5PP dependency with the newest version of HDF5, but I will look into this soon.

[MikeWazoWski123]

Thanks @gayverjr .