search

nanoporetech / medaka

Sequence correction provided by ONT Research
https://nanoporetech.com
Other
391 stars 73 forks source link

Vulnerable shared libraries might make medaka vulnerable. Can you help upgrade to patch versions? #364

Closed MikeWazoWski123 closed 2 years ago

MikeWazoWski123 commented 2 years ago

Hi, @cjw85 , @mwykes , I'd like to report a vulnerability issue in medaka_1.6.0.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), medaka_1.6.0 directly or transitively depends on 24 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libcrypto-142cf8a3.so.1.0.1efrom C project openssl(version:<=1.0.1f) exposed 18 vulnerabilities: CVE-2021-4044,CVE-2016-7056,CVE-2016-2182,CVE-2016-2181,CVE-2016-2179,CVE-2016-6302,CVE-2016-6303,CVE-2016-2842,CVE-2015-0286,CVE-2015-0206,CVE-2014-8275,CVE-2015-0205,CVE-2014-3508,CVE-2014-3572,CVE-2014-3571,CVE-2020-7043CVE-2020-7042,CVE-2020-7041, libidn-0c8ed23f.so.11.6.1from C project libidn(version:1.28) exposed 3 vulnerabilities: CVE-2015-8948,CVE-2016-6261,CVE-2016-6262 libk5crypto-ab4ddf4c.so.3.1from C project krb5(version:1.13.2) exposed 4 vulnerabilities: CVE-2021-37750,CVE-2021-36222,CVE-2015-8629,CVE-2015-8630

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=3.0.1 libidn has fixed the vulnerabilities in versions >=1.33 krb5 has fixed the vulnerabilities in versions >=1.19.3

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (medaka has 16,009 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, MikeWazowski

cjw85 commented 2 years ago

medaka wheels are created using the manylinux2010 (2014 for ARM64) toolset and so their binary dependencies are governed by libraries available within this build environment. The dependency on libcurl extending to libcrypto stems from use within htslib for reading data across a network. This is not a typical usecase for medaka and so is not considered a critical vunerability.

We will investigate disabling the libcurl functionality.

MikeWazoWski123 commented 2 years ago

@cjw85, Thanks for your kindly feedback. Hope this information can help for finding vulnerable binary dependencies.

Best regards, MikeWazowski