Closed JoeGardner000 closed 2 years ago
Anyone concerned about these vulnerabilities could build python-gphoto2 from source, using their known good versions of libexif etc. The "binary wheels" are built with GitHub Actions - I don't think I can specify what versions of these libraries are installed on the build machines.
See also https://github.com/pypa/manylinux/issues/1302
I don't plan to do anything about this. The risks are minimal in any usage of python-gphoto2 I can think of. If you have a usage where the risks might be significant, then you can use pip's --no-binary
option to force building with your locally installed patched versions of the affected libraries.
If CentOS 7 (the OS used to build manylinux wheels) gets patched libraries then the next release of python-gphoto2 will have the patches.
Hi, @jim-easterbrook , @sdaau , I'd like to report a vulnerability issue in gphoto2_2.3.3.
Issue Description
gphoto2_2.3.3 directly or transitively depends on 50 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libexif-8d1b563f.so.12.3.3
from C project libexif(version:0.6.21) exposed 7 vulnerabilities: CVE-2016-6328, CVE-2020-12767, CVE-2020-13112, CVE-2020-13113, CVE-2020-13114,CVE-2018-20030, CVE-2017-7544libpng12-640ca796.so.0.49.0
from C project libpng(version:1.2.54) exposed 10 vulnerabilities: CVE-2011-3045, CVE-2014-9495, CVE-2013-7354, CVE-2013-7353,CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540libXpm-99013f46.so.4.11.0
from C project libxpm(version:3.5.10) exposed 1 vulnerabilities: CVE-2016-10164Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, following call chains can reach the vulnerable method(C code) png_inflate() in file
libpng/pngrutil.c
reported by CVE-2011-3045.Suggested Vulnerability Patch Versions
libexif has fixed the vulnerabilities in versions >=0.6.23 libpng has fixed the vulnerabilities in versions >=1.6.32 libxpm has fixed the vulnerabilities in versions >=3.5.12
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (gphoto2 has 13,603 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Joe Gardner