You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @kyamagu , @jljusten , I'd like to report a vulnerability issue in skia-python_87.4.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, skia-python_87.4 directly or transitively depends on 4 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs: libuuid-f64cda11.so.1.3.0 from C project util-linux(version:2.27.1) exposed 3 vulnerabilities: CVE-2018-7738, CVE-2021-37600, CVE-2016-5011
Suggested Vulnerability Patch Versions
util-linux has fixed the vulnerabilities in versions >=2.37.2
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (skia-python has 8,051 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
The text was updated successfully, but these errors were encountered:
@andy201709 skia-python bundles those shared libraries via auditwheel inside manylinux2014 (centos7) container, where the available libuuid version is libuuid-devel-2.23.2-65.el7_9.1.x86_64 in the package manager. Can you suggest a reasonable workaround to the build step in build_Linux.sh?
@kyamagu , thank you for your feedback.
I notice that the libuuid-f64cda11.so.1.3.0 is a dependent of libfontconfig-42c558d2.so.1.11.1.
Try to upgrade the latest version of fontconfig in build_Linux.sh may workaround it? Just a suggestion, I'm not sure.
Hi, @kyamagu , @jljusten , I'd like to report a vulnerability issue in skia-python_87.4.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, skia-python_87.4 directly or transitively depends on 4 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libuuid-f64cda11.so.1.3.0
from C project util-linux(version:2.27.1) exposed 3 vulnerabilities:CVE-2018-7738, CVE-2021-37600, CVE-2016-5011
Suggested Vulnerability Patch Versions
util-linux has fixed the vulnerabilities in versions >=2.37.2
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (skia-python has 8,051 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
The text was updated successfully, but these errors were encountered: