Potential security vulnerability in the libvorbis C library #35
Comments
Linkid
changed the title
|
Hi! Thanks for the report ! |
|
The version of this lib in CentOS 7 does not contain a patch for that. As some wheels are built with CentOS 7, it will be not fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, @Linkid , I'd like to report a vulnerability issue in mixstream_1.1.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), mixstream_1.1.0 directly or transitively depends on 5 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVE:
libvorbisfile-c5d289a9.so.3.3.5from C project libvorbis(version:1.3.2) exposed 1 vulnerability:CVE-2020-20412
Suggested Vulnerability Patch Versions
libvorbis has fixed the vulnerabilities in versions >=1.3.6
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (mixstream has 1,887 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Jor Gardner
The text was updated successfully, but these errors were encountered: