Potential secutiry vulnerability in the shared library which electrumsv-secp256k1 depends on. Can you help upgrade to patch versions? #5
Comments
|
New versions of https://github.com/ofek/coincurve / https://github.com/bitcoin-core/secp256k1 no longer use GMP |
|
Thanks for the report. We do not do 32-bit releases any more, and this is a 32-bit problem. If gmp had made a release, we would upgrade to support that regardless. |
|
Thanks for your feedback. @ofek |
|
@rt121212121 , thanks for your feedback. Is the diagnosis information useful to you? I am happy to know that :) |
|
I don't know. It depends on what the tool does and how much work it incurs. With this report and possibly many like it, it is very difficult to see how it would be abused even if it were relevant. |
Hi, @ofek , @rt121212121 , I'd like to report a vulnerability issue in electrumsv-secp256k1_0.9.4.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, electrumsv-secp256k1_0.9.4 directly or transitively depends on 2 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libgmp-4c77cc8e.so.10.3.2from C project gmp(version:<=6.1.0) exposed 1 vulnerabilities:CVE-2021-43618
Suggested Vulnerability Patch Versions
No official patch version released, but gmp has fixed the vulnerability in patch.
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (electrumsv-secp256k1 has 5,254 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
The text was updated successfully, but these errors were encountered: