search

vinayak-mehta / pdftopng

A PDF to PNG conversion library (based on pdftoppm from poppler)
GNU General Public License v2.0
40 stars 19 forks source link

Several vulnerabilities in the shared libraries which pdftopng depend on. Could you help upgrade to patch versions? #12

Open andy201709 opened 2 years ago

andy201709 commented 2 years ago

Hi, @vinayak-mehta, @captn3m0, I'd like to report a vulnerability issue in pdftopng_0.2.3.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph, pdftopng_0.2.3 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: libexpat-64fa60ba.so.1.5.2 from C project expat(version:<=2.1.0) exposed 1 vulnerabilities: CVE-2017-9233 libfontconfig-63352676.so.1.4.4 from C project fontconfig(version:<=2.11.0) exposed 1 vulnerabilities: CVE-2016-5384 libfreetype-20bfc0cd.so.6.3.22 from C project freetype(version:<2.5.2) exposed 11 vulnerabilities: CVE-2015-9381, CVE-2015-9383, CVE-2015-9382, CVE-2015-9290, CVE-2018-6942, CVE-2016-10328,CVE-2016-10244, CVE-2014-9747, CVE-2014-9746, CVE-2014-9745,CVE-2014-2241 libpng12-640ca796.so.0.49.0 from C project libpng(version:<1.2.54) exposed 11 vulnerabilities: CVE-2019-17371, CVE-2011-3045, CVE-2014-9495, CVE-2013-7354, CVE-2013-7353, CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) png_inflate() in file libpng/pngrutil.c reported by CVE-2011-3045.

call chains-----
readpng2_decode_data()->png_process_data()->png_process_some_data()->png_push_read_chunk()->png_handle_iCCP()->png_decompress_chunk()->png_inflate()

Suggested Vulnerability Patch Versions

expat has fixed the vulnerabilities in versions >=2.2.1 fontconfig has fixed the vulnerabilities in versions >=2.12.1 freetype has fixed the vulnerabilities in versions >=2.9.1 libpng has fixed the vulnerabilities in versions >=1.6.32-48

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (pdftopng has 21,936 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Andy

andy201709 commented 2 years ago

@captn3m0 ,thank you very much for your help to upgrade to patch version. By the way, May I ask two more questions?

Do you realize these type of cross-language vulnerablity issues in the Python projects? Do you use any tools to help report vulnerable C libraries for Python projects?

Best regards, Andy

captn3m0 commented 2 years ago

@andy201709 Is there a way to reach you over email or elsewhere? I'm looking at documenting these issues, and perhaps setting up a CI for the same - would like to understand your methodology.

captn3m0 commented 2 years ago

cc @JoeGardner000 , @MikeWazoWski123