Could you help upgrade the vulnerble shared library introduced by package pybbi?

Question

Could you help upgrade the vulnerble shared library introduced by package pybbi?

MikeWazoWski123 opened this issue 3 years ago · 0 comments

Hi, @nvictus , @pkerpedjiev , I'd like to report a vulnerability issue in pybbi_0.3.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), pybbi_0.3.0 directly or transitively depends on 11 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libpng12-640ca796.so.0.49.0 from C project libpng(version:<=1.2.54) exposed 10 vulnerabilities:
CVE-2011-3045, CVE-2014-9495, CVE-2013-7354, CVE-2013-7353,CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540

Suggested Vulnerability Patch Versions

libpng has fixed the vulnerabilities in versions >=1.6.32

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (pybbi has 3,372 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski