Potential secutiry vulnerability in the shared library which smt-switch depends on. Can you help upgrade to patch versions?

[andy201709]

Hi, @makaimann , @yoni206 , I'd like to report a vulnerability issue in smt-switch_0.3.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph, smt-switch_0.3.0 directly or transitively depends on 6 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libgmp-afec2dd4.so.10.2.0 and libgmpxx-25f6cf8d.so.4.4.0from C project gmp(version:6.1.0) exposed 1 vulnerabilities: CVE-2021-43618

Suggested Vulnerability Patch Versions

No official patch version released, but gmp has fixed the vulnerability in patch.

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (smt-switch has 790 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

[yoni206]

Thanks @andy201709 for this.

@makaimann -- how come we directly depend on gmp and not only transitively? That is, I am surprised by the arrow from smt-switch.cpython... to libgmpxxx on the right.

Further -- how can we upgrade gmp for the solvers that we use? Won't that depend on an upgrade done by the solvers themselves?

[makaimann]

Thanks for reporting this @andy201709!

@yoni206, this is for the generated smt_switch Python wheels, where the libraries are bundled with it.

I don't think we need an upgrade from the solvers (assuming the interface still matches), but I'm not certain. I'll try to look into this when I get a chance. Basically, when creating the wheels through the manylinux Docker image, we would need to upgrade the gmp version there.

[andy201709]

I understand it, thanks @makaimann .