Skip to content

Potential vulneraility in the C library which pyhdf depends on. Can you help upgrade to patch versions? #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MikeWazoWski123 opened this issue Apr 4, 2022 · 2 comments
Open

Potential vulneraility in the C library which pyhdf depends on. Can you help upgrade to patch versions? #54

MikeWazoWski123 opened this issue Apr 4, 2022 · 2 comments

Comments

@MikeWazoWski123
Copy link

MikeWazoWski123 commented Apr 4, 2022
edited
Loading

Hi, @fhs , @teoliphant, I'd like to report a vulnerability issue in pyhdf_0.10.3.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph, pyhdf_0.10.3 directly or transitively depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVE:
libjpeg-43436dd5.so.62.1.0from C project libjpeg-turbo(version:1.3.0) exposed 2 vulnerabilities:
CVE-2020-14152, CVE-2018-14498

Furthermore, the vulnerable methods in these vulnerable shared libraries can be actually invoked by Python code.
For instance, the following call chain starting from jpeg_start_compress() can reach the vulnerable method GLOBAL(size_t) jpeg_mem_available (j_common_ptr cinfo, size_t min_bytes_needed, size_t max_bytes_needed, size_t already_allocated) in jmemnobs.c reported by CVE-2020-14152:

call chain -----
jpeg_start_compress() -> jinit_compress_master() -> realize_virt_arrays() -> jpeg_mem_available()

Suggested Vulnerability Patch Versions

libjpeg-turbo has fixed the vulnerabilities in versions >=2.0.0

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (ppyhdf has 4,576 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
MikeWazowski
@abrammer
Copy link
Contributor

libjpeg-turbo-devel==1.2.90-8 is installed as a dependency from hdf and hdf-devel.
Adding the libjpeg-turbo-offcial repo and forcing a >=2x install doesn't resolve that dependency, and those 2 key libraries still want to install the old libjpeg.

The library originates from yum -y install epel-release hdf hdf-devel inside of container quay.io/pypa/manylinux2014_x86_64.

Can you provide guidance on how to update the library given the upstream dependencies.

@djhoese
Copy link

djhoese commented Nov 22, 2023

I noticed this issue while looking up some compilation errors. I just wanted to say that if someone is encountering an old version of libjpeg bundled with the pyhdf binary wheel packages, a workaround is to provide --no-binary pyhdf to your pip command. For example pip install --no-binary pyhdf pyhdf. This should force pip to build from pyhdf source which should dynamically look for whatever version of HDF4 and libjpeg/libjpeg-turbo are available on the system.

As far as getting the corrected/fixed versions of these dependencies on your system, that's another discussion. If pyhdf's wheel building automatically finds these new versions of these dependencies next time it builds its wheels (a future release) then the wheels on PyPI will also be using those fixed versions (because they'll be bundled internally).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djhoese @abrammer @MikeWazoWski123