search

pyproj4 / pyproj

Python interface to PROJ (cartographic projections and coordinate transformations library)
https://pyproj4.github.io/pyproj
MIT License
1.04k stars 210 forks source link

LibTiff Vulnerabilities and Dependencies #1359

Closed nfairbank closed 9 months ago

nfairbank commented 9 months ago

PyProj has tiff dependencies, which are not fully supported by the latest version of tiff, 4.6.0.

Essentially Tiff removed support for many features due to security vulnerabilities and lack of developer support: (http://www.simplesystems.org/libtiff/)

"Starting with libtiff v4.6.0, the source code for most TIFF tools (except tiffinfo, tiffdump, tiffcp and tiffset) was discontinued, due to the lack of contributors able to address reported security issues. tiff2ps and tiff2pdf source code has been moved in a unsupported category, no longer built by default, but are still part of the the source distribution. Other retired utilities are in a archive/ directory, only available in the libtiff git repository. Issues related to unsupported and archived tools will no longer be accepted in the libtiff bug tracker."

But in order to use PyProj, you need an old (vulnerable) version of Tiff, exposed to the following CVEs:

CVE-2023-41175 CVE-2023-40745 CVE-2015-7313

Please see below for an example:

/app # python Python 3.11.6 (main, Oct 4 2023, 06:22:18) [GCC 12.2.1 20220924] on linux Type "help", "copyright", "credits" or "license" for more information.

import pyproj print(pyproj.version) 3.6.1 exit() /app # apk list | grep tiff WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory tiff-4.5.1-r0 x86_64 {tiff} (libtiff) [installed] /app # echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories /app # apk add --no-cache "tiff@edge" fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz (1/1) Upgrading tiff@edge (4.5.1-r0 -> 4.6.0-r0) OK: 183 MiB in 68 packages /app # apk list --installed | grep tiff WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory tiff-4.6.0-r0 x86_64 {tiff} (libtiff) [installed] /app # python Python 3.11.6 (main, Oct 4 2023, 06:22:18) [GCC 12.2.1 20220924] on linux Type "help", "copyright", "credits" or "license" for more information. import pyproj Traceback (most recent call last): File "", line 1, in File "/venv/lib/python3.11/site-packages/pyproj/init.py", line 33, in import pyproj.network File "/venv/lib/python3.11/site-packages/pyproj/network.py", line 10, in from pyproj._network import ( # noqa: F401 pylint: disable=unused-import ImportError: Error relocating /usr/lib/libtiff.so.6: jpeg12_write_raw_data: symbol not found

djhoese commented 9 months ago

Could you please provide the information for how you actually installed pyproj? And if you have the PROJ C/C++ library installed separately?

As far as I can tell pyproj does not depend on libtiff directly at all, but our PROJ C/C++ library dependency does depend on libtiff:

https://github.com/OSGeo/PROJ

The traceback from python reaching into C/C++ code (the _network.pyx and the binary .so version of it) are hiding the fact that this symbol not being found is part of a different dependence. At least I think so.

nfairbank commented 9 months ago

It's a little complicated because I'm trying to build everything on Alpine for a production environment.

It's extremely possible that the error comes from PROJ, and I only see it when I try "import pyproj" and it starts the traceback.

It's a multistage build but essentially I install all the build time dependencies, the pip install all the python packages (including pyproj) into a virtual environment. Then I install runtime dependencies (including proj 9.2.1) in a new image, and copy over the venv.

So it sounds like the issues is tiff 4.6 breaks proj 9.2.1 breaks pyproj. I'm trying proj 9.3.0 to see if that repairs the chain, but having issues getting it to install over other dependencies. Honestly might just have to mitigate the vulnerabilities at the application level and wait for the dependency graph to catch up.

djhoese commented 9 months ago

When you install the build dependencies and runtime dependencies how are you doing that? Are you building them from source? Or installing from a package manager? I would assume that running proj or similar command line tool from PROJ would trigger a similar error. That would at least cut out the pyproj part of the equation.

For building pyproj, are you pip installing from source or from PyPI? If PyPI, is it using a wheel on PyPI or is it downloading the .tar.gz source tarball and building from that?

nfairbank commented 9 months ago

I think you are correct that this is not a pyproj issue- think that it likely lies at the alpine level, ensuring that the dependency graph is well-coordinated. Going to close this issue.