depthai-python icon indicating copy to clipboard operation
depthai-python copied to clipboard
verified publisher icon luxonis

Could you help upgrade the vulnerble shared library introduced by package depthai?

Open andy201709 opened this issue 3 years ago • 4 comments

Hi, @szabi-luxonis , @themarpe , I'd like to report a vulnerability issue in depthai_2.15.1.0.

Dependency Graph between Python project and shared libraries

image

Issue Description

As shown in the above dependency graph, depthai_2.15.1.0 directly or transitively depends on 9 C libraries (.so). However, I noticed that one of these C libraries is vulnerable,containing the following CVEs: libudev-cbe9b76e.so.1.6.2 from C project systemd(version:229) exposed 24 vulnerabilities:
CVE-2021-33910, CVE-2020-1712, CVE-2020-13776, CVE-2019-3843, CVE-2019-3844, CVE-2019-3842, CVE-2019-20386, CVE-2018-15686, CVE-2018-15688, CVE-2018-15687, CVE-2018-16866, CVE-2018-16865, CVE-2018-16864, CVE-2018-16888, CVE-2018-6954, CVE-2018-1049, CVE-2017-1000082, CVE-2017-18078, CVE-2017-15908, CVE-2017-9217, CVE-2017-9445, CVE-2016-7796, CVE-2016-7795, CVE-2013-4392

Suggested Vulnerability Patch Versions

systemd has fixed the vulnerabilities in versions >=249.1

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (depthai has 62,321 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~

Best regards,

Andy

andy201709 avatar Mar 26 '22 14:03 andy201709

Hi @andy201709 - thanks for the report

xlink_device_search_improvements will remove the dependency on udev - this should resolve this issue.

At the time, I suspect that this version of udev is taken from the manylinux OS (afaik centos 7 in manylinux2014). I think it might be possible to bring in newer udev without a more recent OS (which causes issues that using older OS solves, namely glibc compatiblity), but not sure how trivial that'd be.

themarpe avatar Mar 26 '22 14:03 themarpe

@themarpe Thanks for your feedback and help. Hope this will not cause incompatibility issues.

andy201709 avatar Mar 26 '22 14:03 andy201709

Dear @themarpe , by the way, Do you realize these types of vulnerablity issues induced by cross-language invocations?

Do you use any tools to help report vulnerable libraries implemented in other programming languages? Best regards, Andy

andy201709 avatar Mar 26 '22 14:03 andy201709

@andy201709 As of right now - no. Open for suggestions and PRs addressing this aspect:)

themarpe avatar Mar 28 '22 16:03 themarpe