Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Several vulnerabilities in the C library which archi depends on. Could you help upgrade to patch versions? #15

Open
MikeWazoWski123 opened this issue Apr 2, 2022 · 5 comments
Open

Several vulnerabilities in the C library which archi depends on. Could you help upgrade to patch versions? #15

MikeWazoWski123 opened this issue Apr 2, 2022 · 5 comments
Labels
help wanted Extra attention is needed

Comments

@MikeWazoWski123
Copy link

Hi, @whtsky , I'd like to report a vulnerability issue in archi_0.2.3.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), archi_0.2.3 directly or transitively depends on 7 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
liblz4-c29043df.so.1.7.1 from C project lz4(version:r131) exposed 1 vulnerabilities:
CVE-2019-17543

Suggested Vulnerability Patch Versions

lz4 has fixed the vulnerabilities in versions >=1.9.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (archi has 8,216 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski
@nc7s
Copy link
Collaborator

nc7s commented Apr 2, 2022

I assume it could be solved by simply upgrading bundled libarchive to 3.6.0 (latest so far), which I tried once in #16 but failed, partly due to the code base being too old. I'll try again.

@whtsky
Copy link
Owner

whtsky commented Apr 3, 2022

I'm in poor health now and it looks like a hard change based on @bnoctis ‘s PR. Please expect delay for a working new version.

Meanwhile you can disable wheels and building arch locally with a higher version libarchive to mitigate this.

@whtsky whtsky pinned this issue Apr 3, 2022
@whtsky
Copy link
Owner

whtsky commented Apr 3, 2022

Pinned this issue for awareness. Thanks for reporting!
And any help is appreciated btw

@whtsky whtsky added the help wanted Extra attention is needed label Apr 3, 2022
@MikeWazoWski123
Copy link
Author

Thank you very much for your help and feedback. @bnoctis @whtsky

whtsky added a commit that referenced this issue Apr 13, 2022
@whtsky
Merge pull request #16 from bnoctis/fix/libarchive360
7ba9de5 
Upgrade dependency libarchive to v3.6.0 to fix upstream vulnerabilities (#15)
@whtsky
Copy link
Owner

whtsky commented Apr 13, 2022

I just read the CVE and it says “ LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)”

In my understanding this should impact applications uses lz4 to compress / write data. But archi only supports decompress / read data now, so I assume it should not affect archi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@whtsky @nc7s @MikeWazoWski123