We’ve developed a julia package and compile it with PackageCompiler.jl. We can produce binary executables for both Windows and Linux platforms, and they work fine.
Problems occur, however, when we begin to do vulnerabilities analysis. Many, many vulnerabilities are reported, most of which are related to mingw in Windows platform.
The following are just some of the most critical vulnerabilities found.
CVE-2018-12699, found in:
- (artifacts/some-sha/, omitted later) mingw64/bin/addr2line.exe
- mingw64/bin/ar.exe
- mingw64/x86_64-w64-mingw32/bin/ar.exe
- mingw64/bin/c++filt.exe
- and many other .exes
CVE-2021-22945, found in:
- bin/libcurl-4.dll
- lib/julia/sys.dll
CVE-2022-1292, found in:
- mingw64/opt/bin/libeay32.dll
- mingw64/opt/bin/ssleay32.dll
- mingw64/opt/lib/libcrypto.a
- mingw64/opt/lib/libssl.a
Most of the problems, in our example, can simply be solved by deleting corresponding files. For example, our program doesn’t use mingw, so the whole mingw64 folder in the compiled package can be deleted, which solves 90 percent of the problems. This solution might not be suitable in other cases, though.
However, there are some vulnerabilities in files like sys.dll. Is there anything we can do to solve such problems? Maybe we should make patches then compile Julia source code?