zmwangx
commented
2 years ago Hi, I don't use mpz_imp_raw, and in any case this lib doesn't read from untrusted input stream or string, so I don't think it's relevant.
I can update gmp if a new version is released, but carrying a patch is way too much trouble. Please kindly remind me again if a new version of gmp is released.
MikeWazoWski123
Hi, @zmwangx , I'd like to report a vulnerability issue in miller-rabin_1.0.1.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, miller-rabin_1.0.1 directly or transitively depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVE:
libgmp-130d5f03.so.10.3.2from C project gmp(version:6.1.0) exposed 1 vulnerabilities: CVE-2021-43618Suggested Vulnerability Patch Versions
No official patch version released, but gmp has fixed the vulnerability in patch.
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (miller-rabin has 1,807 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Andy