capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

Potential secutiry vulnerability in the shared library which capstone-gt depends on. Can you help upgrade to patch versions?

Open andy201709 opened this issue 3 years ago • 2 comments

Hi, @aquynh , @danghvu , I'd like to report a vulnerability issue in capstone-gt_4.0.2.1.

Dependency Graph between Python and Shared Libraries

image

Issue Description

As shown in the above dependency graph, capstone-gt_4.0.2.1 directly depends on 1 C libraries (.so). However, I noticed that the C library is vulnerable, containing the following CVE: libcapstone.so from C project capstone(version:3.0.4) exposed a vulnerability: CVE-2016-7151

Suggested Vulnerability Patch Versions

capstone has fixed the vulnerabilities in versions >=3.0.5

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package , could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~

Best regards,

Andy

andy201709 avatar Mar 27 '22 09:03 andy201709

Hi @andy201709, capstone-gt is GrammaTech's fork of capstone (https://github.com/GrammaTech/capstone/tree/next) so that issue would belong there. Capstone official python package is just capstone.

That said, we (at GrammaTech) build the python package from the next branch, which is much newer than 3.0.5 (it only has minor differences with the official next branch). May I ask how did you conclude that the version of libcapstone.so is 3.0.4?

aeflores avatar Mar 28 '22 13:03 aeflores

@andy201709 Hi,we have released capstone 5.0-rc1, can you check if that version still have the vulnerability?

kabeor avatar Mar 29 '22 03:03 kabeor