Vulnerable shared libraries might make rasterio vulnerable. Can you help upgrade to patch versions?

[JoeGardner000]

Hi, @sgillies , @perrygeo , I'd like to report a vulnerability issue in rasterio_1.2.10.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), rasterio_1.2.10 directly or transitively depends on 32 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libhdf5-rasterio-5ce9c7f2.so.103.1.0 and libhdf5_hl-rasterio-92c1cdd8.so.100.1.2 from C project hdf5(version:<=1.10.6) exposed 4 vulnerabilities: CVE-2020-10811, CVE-2020-10812, CVE-2020-10810, CVE-2020-10809 libjson-c-rasterio-5f02f62c.so.2.0.2 from C project json-c(version:<=0.12.1) exposed 1 vulnerabilities: CVE-2020-12762

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) H5AC_unpin_entry() in file H5AC.c reported by CVE-2020-10810.

call chain-----
H5Literate_by_name()->H5G_iterate()->H5G__obj_iterate()->H5G__dense_iterate()->H5HF_open()->H5HF_close()->H5HF_space_close()->H5FS_close()->H5FS_decr()->H5AC_unpin_entry()

Suggested Vulnerability Patch Versions

hdf5 has fixed the vulnerabilities in versions >=1.12.1 json-c has fixed the vulnerabilities in versions >=0.15

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (rasterio has 814,019 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Joe Gardner

[sgillies]

@JoeGardner000 I'm going to transfer this issue to https://github.com/rasterio/rasterio-wheels, which is where the wheel building system lives.

[JoeGardner000]

Thanks @sgillies