Vulnerable shared libraries might make skia-python vulnerable. Can you help upgrade to patch versions?

[andy201709]

Hi, @kyamagu , @jljusten , I'd like to report a vulnerability issue in skia-python_87.4.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph, skia-python_87.4 directly or transitively depends on 4 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libuuid-f64cda11.so.1.3.0 from C project util-linux(version:2.27.1) exposed 3 vulnerabilities:
CVE-2018-7738, CVE-2021-37600, CVE-2016-5011

Suggested Vulnerability Patch Versions

util-linux has fixed the vulnerabilities in versions >=2.37.2

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (skia-python has 8,051 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Andy

[kyamagu]

@andy201709 skia-python bundles those shared libraries via auditwheel inside manylinux2014 (centos7) container, where the available libuuid version is libuuid-devel-2.23.2-65.el7_9.1.x86_64 in the package manager. Can you suggest a reasonable workaround to the build step in build_Linux.sh?

[andy201709]

@kyamagu , thank you for your feedback.
I notice that the libuuid-f64cda11.so.1.3.0 is a dependent of libfontconfig-42c558d2.so.1.11.1.
Try to upgrade the latest version of fontconfig in build_Linux.sh may workaround it? Just a suggestion, I'm not sure.

[HinTak]

Manylinux2014 End of Life (EOL) on June 30th, 2024; so we have to switch upwards in the next 8 months. This should close when we switch.

[HinTak]

There is a new manylinux on 2024.07.02. (and m128/m130 has been using that for a couple of releases) This is due a revisit.

[HinTak]

Seems the current m132 build is still against 2.23.2-65.el7_9.1 as far as I can see from CI log.

[HinTak]

That said, the middle CVE said it is not exploitable on glibc system, and we ONLY do glibc systems (until / unless anybody works on #172 , I guess). And I am not sure about the other two - util-linux is a big package, I am not sure libuuid is involved in umount (the first) or removable dos media (last).

[HinTak]

See also improving #257 as an alternative to many linux wheels

[HinTak]

v134.0b12 comes with libuuid-2.32.1-46.el8 , and I am looking at the RPM's changelogs, etc.

I am going to say that this issue is a non-issue.

Here are the official redhat responses - the "fixes" for each of the CVE were submitted by Karel Zak in the 3 CVE links, who also maintains the rpm (and I checked the el8's rpm changelog - it is last updated Feb 2024, so I'd consider that actively updated, by the person who submitted the upstream fixes, too). They are some sort of bugs alright, but not security bugs.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-7738
https://bugzilla.redhat.com/show_bug.cgi?id=1552641

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-37600
https://bugzilla.redhat.com/show_bug.cgi?id=1987320

https://bugzilla.redhat.com/show_bug.cgi?id=1349741
https://access.redhat.com/security/cve/CVE-2016-5011

In a nutshell, the redhat folks said, for the first item "we don't ship the vulnerable component in any of our products", for the 3rd item "we fixed it in EL7 (in libblkid)" (not in libuuid, and so not in skia-python wheels). As for the 2nd item, redhat's statement is:

"This vulnerability is only present in the 32-bit builds of the util-linux package. The standard 64-bit builds (eg x86_64) are not affected.".

And since we don't do 32-bit linux skia-python wheels either, it has no effect on us.

So, none of the 3 CVEs are relevant to how skia-python wheels are built and shipped.

Cc @kyamagu