From nobody Tue Apr 04 09:58:42 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PrNWX1rFWz43JZm
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue,  4 Apr 2023 09:58:48 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PrNWW1ZGyz3yHS
	for <FreeBSD-security@freebsd.org>; Tue,  4 Apr 2023 09:58:47 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm2 header.b=tc1WEA4e;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=hImuCDf7;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 64.147.123.19 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailout.west.internal (Postfix) with ESMTP id A8FEF3200921;
	Tue,  4 Apr 2023 05:58:45 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute2.internal (MEProxy); Tue, 04 Apr 2023 05:58:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc:cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm2; t=1680602325; x=1680688725; bh=lB
	dcwlhT6PDu6REC+mMj2mydnA0iVr1CXFuHdbptBUg=; b=tc1WEA4eobRFyWLWT9
	3w13/zLA9KucdKWYxrCcD0O1GKF7dWSTMhD9i5yj59zjs6hcn5G0j6V/XS+pJEpF
	cexHKjb9mfdfRsFluEcBIMMHGwurBkZiEXjRRUVNPY7Fdh1OhRGJQMlrHtInLLjc
	PuogachCtTDcBkeYNTX7mTh5EInduYF6lMD9rlprkujY4Z5cKIf9WsZUY11klp19
	FWBRbO3ARbIpLO1hFFaKS3+cRu+QvamkyurB/XcsT41yd/nFN64GoBA3YfyxRPmI
	rWG6AwsdRRYuddBF/ttn2HseMv+WAX8UuF/eA9si8ssNUEUpNfhXGsKBpXeut0IV
	FvTQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm2; t=1680602325; x=1680688725; bh=lBdcwlhT6PDu6
	REC+mMj2mydnA0iVr1CXFuHdbptBUg=; b=hImuCDf7EIs7R/hrjYJwdEkmO1IYE
	HFVL5vt12WNfKMMYGndrm+Ctmv+Vz6MeUpvDrzlfHJ+UhTm7CrZ5ETWLqRxfvGJm
	tznh3iLw7IA24Ar0RAdfBV9yPVfCMWX6h/gsWvsbzZLIqfzj4uctLhqTvd/NAEIj
	mCVp2J7nxY6GTwbfEQypeT+xlpL7tx4Ba44MDUhProaPnV72P4GqFiYE2AFh+zyz
	drY3HHWHLLWww4iSuGIqRZo5HBolHJXpb/A1VrCL1305k4ovBANQc34CgCzIczH2
	KKAbUqD2U5YN4zwl2lPNU2iccgIQMggaXJ+IYNTM4du7bH4N91IiEnGyA==
X-ME-Sender: <xms:1fQrZEGPhSGNyacMF4bvci9UUUrcMtJaMMQgsD5N7eGNY_roVa72gw>
    <xme:1fQrZNWAdPoMXHY591rO_bSlN7a2Ri07pRYeACaPZqd8Qk1w_C1E66yAY1_Q-_7ZW
    go0DQhW1IQyu-PDlg>
X-ME-Received: <xmr:1fQrZOKQFsHICM5mqlMg35YoAUmgVf9ARGOaxZZKYa4vZTlmHW8__xCf>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdeiledgvdduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepvhhoihgu
    uceovhhoihgusehfqdhmrdhfmheqnecuggftrfgrthhtvghrnhepieelleeikedtfffgie
    ejkeeuhfdtudfghedvheffgffgffeigeeggfeigeetteeunecuffhomhgrihhnpehgihht
    hhhusgdrtghomhdpphihphgrrdhiohdpvhhugihmlhdrohhrghdpohhsvhdruggvvhenuc
    evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvohhiuges
    fhdqmhdrfhhm
X-ME-Proxy: <xmx:1fQrZGEoAk7PsidmHaGGMJUoxBRA0n7lBJbKNwkB_JC5t2BY_u4rdQ>
    <xmx:1fQrZKUb4rqV3CtZVVuOwmigYGgQO0edcPjA2a2tdECr9ewJtc8Zpw>
    <xmx:1fQrZJOfHsrvCguhX7uHQK9Kics03JEHVYvJX_pqchaue1nJpy_spw>
    <xmx:1fQrZDco3F71pzbJpjiFeVqQPqKbaFU0p8akEE3DE7Tk5bo1DGq8gg>
Feedback-ID: i2541463c:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 4 Apr 2023 05:58:44 -0400 (EDT)
Date: Tue, 4 Apr 2023 10:58:42 +0100
From: void <void@f-m.fm>
To: Hubert Tournier <hubert.tournier@gmail.com>
Cc: FreeBSD-security@freebsd.org
Subject: Re: 45 vulnerable ports unreported in VuXML
Message-ID: <ZCv00k-jL__tYYWG@int21h>
Mail-Followup-To: Hubert Tournier <hubert.tournier@gmail.com>,
	FreeBSD-security@freebsd.org
References: <CADr+mw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com>
 <CADr+mw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P+nEN5Gg7Yeo_A@mail.gmail.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <CADr+mw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P+nEN5Gg7Yeo_A@mail.gmail.com>
X-Spamd-Result: default: False [-4.57 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.97)[-0.966];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm2,messagingengine.com:s=fm2];
	R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from];
	ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TAGGED_RCPT(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	RCVD_COUNT_THREE(0.00)[4];
	FREEMAIL_FROM(0.00)[f-m.fm];
	TO_DN_SOME(0.00)[];
	MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	FREEMAIL_TO(0.00)[gmail.com];
	RCPT_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4PrNWW1ZGyz3yHS
X-Spamd-Bar: ----
X-ThisMailContainsUnwantedMimeParts: N

On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote:
>Hello,
>
>While working on pipinfo <https://github.com/HubTou/pipinfo>, an
>alternative Python packages management tool, I noticed that some Python
>packages installed as FreeBSD ports where marked as vulnerable by the Python
>Packaging Authority
><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>
>but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports
>security database.
>
>So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
>check the 4.000+ FreeBSD ports for Python packages and found 45 of them
>vulnerable and unreported
><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.
>
>I started producing new VuXML entries
><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> for
>these vulnerable ports. *Please tell me if it's worth pursuing this effort?*
>
>In order to verify if these vulnerable ports where also marked as
>vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got
>carried away writing a whole utility, vuxml
><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of
>general interest to some of you?
>
>Best regards,
>
>PS: this approach could be extended to Rust crates, Ruby gems and so on
>with the vulnerabilities described in the OSV <https://osv.dev/>...

+1 ^^^ really good idea

Probably best to ask in freebsd-hackers@ as devs are likely to 
read this there
--