Several vulnerabilities in the C library which archi depends on. Could you help upgrade to patch versions?

Question

Several vulnerabilities in the C library which archi depends on. Could you help upgrade to patch versions?

MikeWazoWski123 opened this issue 3 years ago · 5 comments

Hi, @whtsky , I'd like to report a vulnerability issue in archi_0.2.3.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph(here shows part of the dependency graph, which depends on vulnerable shared libraries), archi_0.2.3 directly or transitively depends on 7 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
liblz4-c29043df.so.1.7.1 from C project lz4(version:r131) exposed 1 vulnerabilities:
CVE-2019-17543

Suggested Vulnerability Patch Versions

lz4 has fixed the vulnerabilities in versions >=1.9.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (archi has 8,216 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski

Answer 1 · 2022-04-02T14:01:22.000Z

I assume it could be solved by simply upgrading bundled libarchive to 3.6.0 (latest so far), which I tried once in #16 but failed, partly due to the code base being too old. I'll try again.

Answer 2 · 2022-04-03T07:55:08.000Z

I'm in poor health now and it looks like a hard change based on @bnoctis ‘s PR. Please expect delay for a working new version.

Meanwhile you can disable wheels and building arch locally with a higher version libarchive to mitigate this.

Answer 3 · 2022-04-03T07:57:00.000Z

Pinned this issue for awareness. Thanks for reporting!
And any help is appreciated btw

Answer 4 · 2022-04-04T16:53:21.000Z

Thank you very much for your help and feedback. @bnoctis @whtsky

Answer 5 · 2022-04-13T17:10:54.000Z

I just read the CVE and it says “ LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.)”

In my understanding this should impact applications uses lz4 to compress / write data. But archi only supports decompress / read data now, so I assume it should not affect archi.