Closed andy201709 closed 2 years ago
brendanator
commented
2 years ago Thanks for reporting this @andy201709.
First the good news - _psycopg.so is removed from the next release so most of those vulnerabilities will disappear.
I will investigate the other vulnerabilities.
andy201709
commented
2 years ago @brendanator , thank you very much for your feedback.
Is the diagnosis information useful to you? I am happy to know that :) Our team developed a tool that can detect the vulnerablity issues that are induced by cross-language invocations. If you are interests, I can share you a download link when we make it open-source.
brendanator
commented
2 years ago @andy201709 These issues seem to be inherited from the docker image that we are using to build Sourcery so that it is compatible with most version of Linux.
Closing as there's not much we can do about this as it's an upstream issue.
Hi, @brendanator , @Hellebore, I'd like to report a vulnerability issue in sourcery-cli_0.11.1.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), sourcery-cli_0.11.1 directly or transitively depends on 33 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libbsd.so.0from C project libbsd(version:0.8.2) exposed 1 vulnerabilities: CVE-2019-20367,libcrypto-2f2fcd35.so.1.1,libcrypto.so.1.1,libssl-6b7b94d5.so.1.1andlibssl.so.1.1from C project openssl(version:<=1.1.1j) exposed 9 vulnerabilities: CVE-2021-3711,CVE-2021-3712, CVE-2020-7042,CVE-2020-7041,CVE-2019-1552, CVE-2019-1543,CVE-2018-0735, CVE-2017-3738, CVE-2020-7043libexpat.so.1from C project expat(version:2.1.0) exposed 1 vulnerabilities: CVE-2017-9233libfontconfig.so.1from C project fontconfig(version:2.11.0) exposed 1 vulnerabilities: CVE-2016-5384libfreetype.so.6from C project freetype(version:2.6.1) exposed 4 vulnerabilities: CVE-2015-9383,CVE-2018-6942,CVE-2016-10328, CVE-2016-10244libgssapi_krb5-497db0c6.so.2.2,libk5crypto-b1f99d5c.so.3.1andlibkrb5-fc820a1d.so.3.3from C project krb5(version:1.16) exposed 2 vulnerabilities: CVE-2021-37750, CVE-2021-36222libncursesw.so.5andlibtinfo.so.5from C project ncurses(version:<=6.0) exposed 15 vulnerabilities: CVE-2017-13734,CVE-2017-13733,CVE-2017-13732, CVE-2017-13731,CVE-2017-13730,CVE-2017-13729, CVE-2017-13728,CVE-2017-16879,CVE-2017-11113, CVE-2017-11112,CVE-2017-10685,CVE-2017-10684, CVE-2019-17595,CVE-2019-17594,CVE-2021-39537libuuid.so.1from C project util-linux(version:2.27.1) exposed 3 vulnerabilities: CVE-2018-7738,CVE-2021-37600,CVE-2016-5011Furthermore, the vulnerable methods in these vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain starting from
SSL_CTX_load_verify_locations()can reach the vulnerable methodEC_GROUP_new_from_ecparameters() <EC_GROUP *EC_GROUP_new_from_ecparameters (const ECPARAMETERS *params)incrypto/ec/ec_asn1.creported by CVE-2021-3712:Suggested Vulnerability Patch Versions
libbsd has fixed the vulnerabilities in versions >=0.10.0 openssl has fixed the vulnerabilities in versions >=1.1.1l expat has fixed the vulnerabilities in versions >=2.2.1 fontconfig has fixed the vulnerabilities in versions >=2.12.1 freetype has fixed the vulnerabilities in versions >=2.9.1 krb5 has fixed the vulnerabilities in versions >=1.19.3 ncurses has fixed the vulnerabilities in versions >=6.3 util-linux** has fixed the vulnerabilities in versions >=2.37.2***
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (sourcery-cli has 5,311 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Andy