Could you help upgrade the vulnerble shared library introduced by package python-gdcm?

[JoeGardner000]

Hi, @tfmoraes , I'd like to report a vulnerability issue in python-gdcm_3.0.12.

Issue Description

python-gdcm_3.0.12 directly or transitively depends on 41 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libgssapi_krb5-497db0c6.so.2.2 ,libk5crypto-b1f99d5c.so.3.1 and libkrb5-fc820a1d.so.3.3 from C project krb5(version:1.16) exposed 3 vulnerabilities:
CVE-2021-37750, CVE-2021-36222,CVE-2020-28196

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Python code. For instance, the following call chain can reach the vulnerable method(C code) asn1_error_code decode_atype (const taginfo *t, const unsigned char *asn1, size_t len, const struct atype_info *a, void *val) in krb5/asn.1/asn1_encode.c reported by CVE-2020-28196.

call chain -----
PQsetnonblocking() -> pqFlush() -> pqSendSome() -> pqReadData() -> pqsecure_read() -> pgtls_read() -> ERR_clear_error() -> ERR_get_state() -> ossl_init_thread_start() -> OPENSSL_init_crypto() -> ENGINE_register_all_complete() -> ENGINE_register_complete() -> ENGINE_register_ciphers() -> engine_table_register() -> int_table_check() -> LHASH_OF() -> SortFnByName() -> FUNCTION() -> fn() -> ECPGconnect() -> PQconnectdbParams() -> PQconnectStartParams() -> connectDBStart() -> PQconnectPoll() -> pqDropConnection() -> gss_release_cred() -> gssint_get_mechanism() -> gssint_mechglue_initialize_library() -> gssint_mechglue_init() -> gss_krb5int_lib_init() -> gss_iakerbmechglue_init() -> iakerb_gss_accept_sec_context() -> krb5_gss_accept_sec_context_ext() -> kg_accept_krb5() -> krb5_gss_acquire_cred() -> acquire_cred() -> acquire_cred_context() -> acquire_init_cred() -> maybe_get_initial_cred() -> get_initial_cred() -> krb5_get_init_creds_password() -> k5_get_init_creds() -> krb5_init_creds_init() -> krb5_string_to_deltat() -> yyparse() -> make_op() -> exprType() -> get_promoted_array_type() -> get_array_type() -> SearchSysCache1() -> SearchCatCache1() -> SearchCatCacheInternal() -> CatalogCacheInitializeCache() -> table_open() -> relation_open() -> LockRelationOid() -> LockAcquireExtended() -> LogAccessExclusiveLockPrepare() -> GetCurrentTransactionId() -> AssignTransactionId() -> GetNewTransactionId() -> ExtendCLOG() -> ZeroCLOGPage() -> SimpleLruZeroPage() -> SlruSelectLRUPage() -> SlruInternalWritePage() -> SlruPhysicalWritePage() -> XLogFlush() -> XLogWrite() -> RequestCheckpoint() -> CreateCheckPoint() -> CheckPointGuts() -> CheckPointBuffers() -> BufferSync() -> CheckpointWriteDelay() -> UpdateSharedMemoryConfig() -> UpdateFullPageWrites() -> XLogInsert() -> XLogRecordAssemble() -> upper() -> str_toupper() -> pg_newlocale_from_collation() -> SysCacheGetAttr() -> InitCatCachePhase2() -> index_close() -> RelationClose() -> RelationClearRelation() -> RelationReloadNailed() -> RelationInitPhysicalAddr() -> ScanPgRelation() -> ScanKeyInit() -> fmgr_info() -> fmgr_info_cxt_security() -> fmgr_sql() -> init_sql_fcache() -> get_call_result_type() -> internal_get_result_type() -> lookup_rowtype_tupdesc_copy() -> lookup_rowtype_tupdesc_internal() -> lookup_type_cache() -> load_domaintype_info() -> expression_planner() -> eval_const_expressions() -> eval_const_expressions_mutator() -> expand_function_arguments() -> recheck_cast_function_args() -> make_fn_arguments() -> coerce_type() -> coerce_to_domain() -> coerce_type_typmod() -> exprTypmod() -> exprIsLengthCoercion() -> func() -> krb5_tkt_creds_get() -> krb5_tkt_creds_step() -> get_creds_from_tgs_reply() -> krb5int_process_tgs_reply() -> krb5int_decode_tgs_rep() -> krb5_kdc_rep_decrypt_proc() -> decode_krb5_enc_kdc_rep_part() -> k5_asn1_full_decode() -> decode_atype_to_ptr() -> decode_sequence_of() -> decode_atype()

Suggested Vulnerability Patch Versions

krb5 has fixed the vulnerabilities in versions >=1.19.3

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (python-gdcm has 30,169 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Joe Gardner

[tfmoraes]

HI @JoeGardner000, I'm using krb5 from CentOS 7, I think I'll need to compile krb5 by myself.

[rksoli]

Hi @tfmoraes!

I may ask humbly if that issue could be considered to be resolved by now?

Best regards

[tfmoraes]

Hi @rksoli!

I think it's already fixed. The CVEs listed by @JoeGardner000 are not listed in this security scanner in the container image used to create the package.