Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Several vulnerabilities in the shared libraries which pdftopng depend on. Could you help upgrade to patch versions? #12

Open
andy201709 opened this issue Mar 27, 2022 · 3 comments · May be fixed by #14
Open

Several vulnerabilities in the shared libraries which pdftopng depend on. Could you help upgrade to patch versions? #12

andy201709 opened this issue Mar 27, 2022 · 3 comments · May be fixed by #14

Comments

@andy201709
Copy link

andy201709 commented Mar 27, 2022
edited
Loading

Hi, @vinayak-mehta, @captn3m0, I'd like to report a vulnerability issue in pdftopng_0.2.3.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph, pdftopng_0.2.3 directly or transitively depends on 8 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libexpat-64fa60ba.so.1.5.2 from C project expat(version:<=2.1.0) exposed 1 vulnerabilities:
CVE-2017-9233
libfontconfig-63352676.so.1.4.4 from C project fontconfig(version:<=2.11.0) exposed 1 vulnerabilities:
CVE-2016-5384
libfreetype-20bfc0cd.so.6.3.22 from C project freetype(version:<2.5.2) exposed 11 vulnerabilities:
CVE-2015-9381, CVE-2015-9383, CVE-2015-9382, CVE-2015-9290, CVE-2018-6942, CVE-2016-10328,CVE-2016-10244, CVE-2014-9747, CVE-2014-9746, CVE-2014-9745,CVE-2014-2241
libpng12-640ca796.so.0.49.0 from C project libpng(version:<1.2.54) exposed 11 vulnerabilities:
CVE-2019-17371, CVE-2011-3045, CVE-2014-9495, CVE-2013-7354, CVE-2013-7353, CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) png_inflate() in file libpng/pngrutil.c reported by CVE-2011-3045.

call chains-----
readpng2_decode_data()->png_process_data()->png_process_some_data()->png_push_read_chunk()->png_handle_iCCP()->png_decompress_chunk()->png_inflate()

Suggested Vulnerability Patch Versions

expat has fixed the vulnerabilities in versions >=2.2.1
fontconfig has fixed the vulnerabilities in versions >=2.12.1
freetype has fixed the vulnerabilities in versions >=2.9.1
libpng has fixed the vulnerabilities in versions >=1.6.32-48

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pdftopng has 21,936 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Andy
@captn3m0 captn3m0 mentioned this issue Mar 28, 2022
Closed
@andy201709
Copy link
Author

@captn3m0 ,thank you very much for your help to upgrade to patch version.
By the way, May I ask two more questions?

Do you realize these type of cross-language vulnerablity issues in the Python projects?
Do you use any tools to help report vulnerable C libraries for Python projects?

Best regards,
Andy

@vinayak-mehta vinayak-mehta linked a pull request Apr 10, 2022 that will close this issue
Open
@captn3m0
Copy link
Contributor

@andy201709 Is there a way to reach you over email or elsewhere? I'm looking at documenting these issues, and perhaps setting up a CI for the same - would like to understand your methodology.

@captn3m0
Copy link
Contributor

cc @JoeGardner000 , @MikeWazoWski123

This was referenced Sep 27, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@captn3m0 @andy201709