From nobody Tue Apr 04 10:31:25 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PrPFQ6KBCz43LnW for ; Tue, 4 Apr 2023 10:31:38 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PrPFP5dYzz44rk for ; Tue, 4 Apr 2023 10:31:37 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=SGAJRGVX; spf=pass (mx1.freebsd.org: domain of hubert.tournier@gmail.com designates 2a00:1450:4864:20::333 as permitted sender) smtp.mailfrom=hubert.tournier@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wm1-x333.google.com with SMTP id o32so18690437wms.1 for ; Tue, 04 Apr 2023 03:31:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680604296; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=6FW56HpzLzPXeIr49dKrRashpXRKqh32AfEK7q/GmMQ=; b=SGAJRGVXeDZKmpjtyaqac3lXs026gCJ3oJrWyaW2XcF1r+SUqnGSWg8KdUdJP9mtSF mDogtYc7Ch4dQQJScEpP9EWx0rbP2vsQuaM8SrBdu9bp4CBCVBKSKxtlIT9LbNn+KRuY i5ePvnfdc+5gt1CztVaN+MGO5OeaoYGr8P2ETSQOoO3AHi8N9Yi0dxTcnULp/PL62muF nHx5EsUzpz0fVf0XLNoKDKBI+sXSrDcXQqKurMfJnY81pmNXIfitB9lKVJwLHmo/2joD V4WyKyR0uWzS7DD/QV5zKORTKAYDJWzhJzxMguroNTk9hKIqFlMwmX/War3thhWL5B9P Mbaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680604296; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6FW56HpzLzPXeIr49dKrRashpXRKqh32AfEK7q/GmMQ=; b=i6K0zlaQdc1Wkt64aEn4Io12/oSqu9HOKAeNcDp/KRovNJhUmhnDjchRETrHQ3tsX5 XZg2/7kJgEgcc6MSZJmoERpVk0WWaN/LLFLcOru2ygyU+c2w27P1iBalxrJKQ/rkJ+XR 97ebKv+pZJgoGrQ4q7/UOZoQLkLy87n1Epi90tYX8lPB2DWDdlFbpNz19n4DTkj2bGrO mzEXshRyBG0F8SDWFyUaXJ5/Z3aTMSJnJdojEckdEhgnccw1qXfYdayfHa4ZccvRj+og AhBXHk2akt7C8vDSktHNV1DGtIfRBNswXubVZ/gpF7z0eVRLwKIw2ZHuPJHqOoJTe9ha 3jIg== X-Gm-Message-State: AAQBX9eoUojB1p90Nr4NO5LB5k8+7p2aT3P1+3wFChMhgbINCsk9UL8t U4RlMHDHwj/97cbzbpPTpF0IyY1alizlWESY6XymHpwj X-Google-Smtp-Source: AKy350bD2RH8OlnK9R1nRsfEygeX/4bZlI24D3rBaUID7FX+57FHxTqmmmY+hukf2ELaCEQt5gZxuUZJEUFG3+KhKVs= X-Received: by 2002:a05:600c:4750:b0:3f0:5c64:e56c with SMTP id w16-20020a05600c475000b003f05c64e56cmr847519wmo.1.1680604296124; Tue, 04 Apr 2023 03:31:36 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Hubert Tournier Date: Tue, 4 Apr 2023 12:31:25 +0200 Message-ID: Subject: Re: 45 vulnerable ports unreported in VuXML To: FreeBSD-security@freebsd.org, Hubert Tournier Content-Type: multipart/alternative; boundary="000000000000141ab805f8802eac" X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; TAGGED_RCPT(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::333:from]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROMTLD(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FREEMAIL_TO(0.00)[freebsd.org,gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_TLS_LAST(0.00)[] X-Rspamd-Queue-Id: 4PrPFP5dYzz44rk X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --000000000000141ab805f8802eac Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I=E2=80=99m OK to do the OSV tool. Best regards, Le mar. 4 avr. 2023 =C3=A0 11:58, void a =C3=A9crit : > On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: > >Hello, > > > >While working on pipinfo , an > >alternative Python packages management tool, I noticed that some Python > >packages installed as FreeBSD ports where marked as vulnerable by the > Python > >Packaging Authority > > > >but not in FreeBSD VuXML port= s > >security database. > > > >So I made a pysec2vuxml tool to > >check the 4.000+ FreeBSD ports for Python packages and found 45 of them > >vulnerable and unreported > >. > > > >I started producing new VuXML entries > > > for > >these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > > >In order to verify if these vulnerable ports where also marked as > >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and > got > >carried away writing a whole utility, vuxml > >, to demonstrate its use. This could be > of > >general interest to some of you? > > > >Best regards, > > > >PS: this approach could be extended to Rust crates, Ruby gems and so on > >with the vulnerabilities described in the OSV ... > > +1 ^^^ really good idea > > Probably best to ask in freebsd-hackers@ as devs are likely to > read this there > -- > --000000000000141ab805f8802eac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I=E2=80=99m OK to do the OSV tool.

Best regards,

Le=C2=A0mar. 4 avr. 2023 =C3= =A0 11:58, void <void@f-m.fm> a = =C3=A9crit=C2=A0:
On Sun, Mar 26, 2= 023 at 12:16:53PM +0200, Hubert Tournier wrote:
>Hello,
>
>While working on pipinfo <https://github.com/HubTou/pipinfo<= /a>>, an
>alternative Python packages management tool, I noticed that some Python=
>packages installed as FreeBSD ports where marked as vulnerable by the P= ython
>Packaging Authority
><https://warehouse.pyp= a.io/api-reference/json.html#known-vulnerabilities>
>but not in FreeBSD VuXML <https://www.vuxml.org/freeb= sd/index.html> ports
>security database.
>
>So I made a pysec2vuxml <https://github.com/HubTou/pysec= 2vuxml> tool to
>check the 4.000+ FreeBSD ports for Python packages and found 45 of them=
>vulnerable and unreported
><https://github.com/HubTou/pysec2v= uxml/blob/main/results.txt>.
>
>I started producing new VuXML entries
><https://github.com/HubTo= u/pysec2vuxml/blob/main/vuxml_newentries.txt> for
>these vulnerable ports. *Please tell me if it's worth pursuing this= effort?*
>
>In order to verify if these vulnerable ports where also marked as
>vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and= got
>carried away writing a whole utility, vuxml
><https://github.com/HubTou/vuxml>, to demonstrate its u= se. This could be of
>general interest to some of you?
>
>Best regards,
>
>PS: this approach could be extended to Rust crates, Ruby gems and so on=
>with the vulnerabilities described in the OSV <https://osv.dev/>...
+1 ^^^ really good idea

Probably best to ask in freebsd-hackers@ as devs are likely to
read this there
--
--000000000000141ab805f8802eac--