Potential secutiry vulnerability in the shared library which smt-switch depends on. Can you help upgrade to patch versions? #299
Comments
|
Thanks @andy201709 for this. @makaimann -- how come we directly depend on gmp and not only transitively? That is, I am surprised by the arrow from smt-switch.cpython... to libgmpxxx on the right. Further -- how can we upgrade gmp for the solvers that we use? Won't that depend on an upgrade done by the solvers themselves? |
|
Thanks for reporting this @andy201709! @yoni206, this is for the generated I don't think we need an upgrade from the solvers (assuming the interface still matches), but I'm not certain. I'll try to look into this when I get a chance. Basically, when creating the wheels through the manylinux Docker image, we would need to upgrade the gmp version there. |
|
I understand it, thanks @makaimann . |
Hi, @makaimann , @yoni206 , I'd like to report a vulnerability issue in smt-switch_0.3.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, smt-switch_0.3.0 directly or transitively depends on 6 C libraries (.so). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libgmp-afec2dd4.so.10.2.0andlibgmpxx-25f6cf8d.so.4.4.0from C project gmp(version:6.1.0) exposed 1 vulnerabilities:CVE-2021-43618
Suggested Vulnerability Patch Versions
No official patch version released, but gmp has fixed the vulnerability in patch.
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (smt-switch has 790 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
The text was updated successfully, but these errors were encountered: