Open MikeWazoWski123 opened 2 years ago
I assume it could be solved by simply upgrading bundled libarchive to 3.6.0 (latest so far), which I tried once in #16 but failed, partly due to the code base being too old. I'll try again.
I'm in poor health now and it looks like a hard change based on @bnoctis ‘s PR. Please expect delay for a working new version.
Meanwhile you can disable wheels and building arch locally with a higher version libarchive to mitigate this.
Pinned this issue for awareness. Thanks for reporting! And any help is appreciated btw
Thank you very much for your help and feedback. @bnoctis @whtsky
I just read the CVE and it says “ LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)”
In my understanding this should impact applications uses lz4 to compress / write data. But archi only supports decompress / read data now, so I assume it should not affect archi.
Hi, @whtsky , I'd like to report a vulnerability issue in archi_0.2.3.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), archi_0.2.3 directly or transitively depends on 7 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
liblz4-c29043df.so.1.7.1
from C project lz4(version:r131) exposed 1 vulnerabilities: CVE-2019-17543Suggested Vulnerability Patch Versions
lz4 has fixed the vulnerabilities in versions >=1.9.2
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (archi has 8,216 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, MikeWazowski