whtsky / archi

Multi-format archive library based on libarchive
MIT License
5 stars 0 forks source link

Several vulnerabilities in the C library which archi depends on. Could you help upgrade to patch versions? #15

Open MikeWazoWski123 opened 2 years ago

MikeWazoWski123 commented 2 years ago

Hi, @whtsky , I'd like to report a vulnerability issue in archi_0.2.3.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), archi_0.2.3 directly or transitively depends on 7 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs: liblz4-c29043df.so.1.7.1 from C project lz4(version:r131) exposed 1 vulnerabilities: CVE-2019-17543

Suggested Vulnerability Patch Versions

lz4 has fixed the vulnerabilities in versions >=1.9.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (archi has 8,216 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, MikeWazowski

nc7s commented 2 years ago

I assume it could be solved by simply upgrading bundled libarchive to 3.6.0 (latest so far), which I tried once in #16 but failed, partly due to the code base being too old. I'll try again.

whtsky commented 2 years ago

I'm in poor health now and it looks like a hard change based on @bnoctis ‘s PR. Please expect delay for a working new version.

Meanwhile you can disable wheels and building arch locally with a higher version libarchive to mitigate this.

whtsky commented 2 years ago

Pinned this issue for awareness. Thanks for reporting! And any help is appreciated btw

MikeWazoWski123 commented 2 years ago

Thank you very much for your help and feedback. @bnoctis @whtsky

whtsky commented 2 years ago

I just read the CVE and it says “ LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)”

In my understanding this should impact applications uses lz4 to compress / write data. But archi only supports decompress / read data now, so I assume it should not affect archi.