search

kyamagu / skia-python

Python binding to Skia Graphics Library
https://kyamagu.github.io/skia-python/
BSD 3-Clause "New" or "Revised" License
246 stars 43 forks source link

Vulnerable shared libraries might make skia-python vulnerable. Can you help upgrade to patch versions? #175

Open andy201709 opened 2 years ago

andy201709 commented 2 years ago

Hi, @kyamagu , @jljusten , I'd like to report a vulnerability issue in skia-python_87.4.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph, skia-python_87.4 directly or transitively depends on 4 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs: libuuid-f64cda11.so.1.3.0 from C project util-linux(version:2.27.1) exposed 3 vulnerabilities: CVE-2018-7738, CVE-2021-37600, CVE-2016-5011

Suggested Vulnerability Patch Versions

util-linux has fixed the vulnerabilities in versions >=2.37.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (skia-python has 8,051 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

kyamagu commented 2 years ago

@andy201709 skia-python bundles those shared libraries via auditwheel inside manylinux2014 (centos7) container, where the available libuuid version is libuuid-devel-2.23.2-65.el7_9.1.x86_64 in the package manager. Can you suggest a reasonable workaround to the build step in build_Linux.sh?

andy201709 commented 2 years ago

@kyamagu , thank you for your feedback. I notice that the libuuid-f64cda11.so.1.3.0 is a dependent of libfontconfig-42c558d2.so.1.11.1. Try to upgrade the latest version of fontconfig in build_Linux.sh may workaround it? Just a suggestion, I'm not sure.

HinTak commented 1 year ago

Manylinux2014 End of Life (EOL) on June 30th, 2024; so we have to switch upwards in the next 8 months. This should close when we switch.

HinTak commented 1 week ago

There is a new manylinux on 2024.07.02. (and m128/m130 has been using that for a couple of releases) This is due a revisit.

HinTak commented 1 week ago

Seems the current m132 build is still against 2.23.2-65.el7_9.1 as far as I can see from CI log.

HinTak commented 1 week ago

That said, the middle CVE said it is not exploitable on glibc system, and we ONLY do glibc systems (until / unless anybody works on #172 , I guess). And I am not sure about the other two - util-linux is a big package, I am not sure libuuid is involved in umount (the first) or removable dos media (last).