Potential security vulnerability in the libvorbis C library

[JoeGardner000]

Hi, @Linkid , I'd like to report a vulnerability issue in mixstream_1.1.0.

Dependency Graph between Python and Shared Libraries

Issue Description

As shown in the above dependency graph (Here shows part of the dependency graph, which depends on vulnerable shared libraries), mixstream_1.1.0 directly or transitively depends on 5 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVE:
libvorbisfile-c5d289a9.so.3.3.5from C project libvorbis(version:1.3.2) exposed 1 vulnerability:
CVE-2020-20412

Suggested Vulnerability Patch Versions

libvorbis has fixed the vulnerabilities in versions >=1.3.6

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (mixstream has 1,887 downloads per month), could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Jor Gardner

[Linkid]

Hi! Thanks for the report !

[Linkid]

The version of this lib in CentOS 7 does not contain a patch for that. As some wheels are built with CentOS 7, it will be not fixed.
Moreover, this CVE is really specific to StepMania and is local. So this is not a big one for us.
So, this issue will be solved by itself when CentOS 7 will not be used anymore.