From nobody Wed Apr 12 04:33:06 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Px8w21qtKz45DJS; Wed, 12 Apr 2023 04:33:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Px8w21Wp4z4PMf; Wed, 12 Apr 2023 04:33:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681273986; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8nO+c/qourhV0K2Dp1G3RNXdv839Gi0zcuVJeI3eNlk=; b=PA3Gy7svv8+02zGF9tQxUXzOVb5Ey7IUr80lw9D/IWypiA+nXcWom1v41kSS6e3TV8+E4p yjcDG30N+aRXznXCEwVWhny15QxktfvFWVmWzX2p0LPG31CUvkj4pdWcMXlcWksMuuXifv sp3jKCtUo8Dv+qJ0IjMS5nmJjLCrmGv17mKcgSwF4YpvFklKUna7B7Zf0RYVSQSxboL3wc KDqKmf4cljlmsA5frgEo+OS1JUV1/DtWVShIWbRQ8/gMt6Dn35o8GVkTPMnt9WluSQUoGI dVOqMje3cwo3iw+Pbg43sVKqhVbWIJwcIlMCtkI5VyykVsS9XpC7mDL7FDXoTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681273986; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8nO+c/qourhV0K2Dp1G3RNXdv839Gi0zcuVJeI3eNlk=; b=d1OkmcM6RdalOYCeA402VQq0bYFj3cQs/faPN9Pse1keGMv3ESfO9pswf86lyw5vsguDQD IzSuNJENAPQPsnQiahP9CncB+2EzWzrbg2YBfdFEQmz+p0eV9zQ+7Za24hEM2H0fUeQ6ZN rMfVLhgsrXammPz/C5IIxtm0TxsyU4xavUTtEbiMRQbjESwAJa/7ikEw96J8dnnOafZIKx lvM6RDtvxG3XvaOB0MFKN/BdgY3VaZF3d0NO9/eUIIGH0rmNJlwI4orvziwBTJQ1Xzwqv/ tK6FEdALAQvHVhdVfXC+XF14gtkIpdzGx4w0rzy8+7tTda9V++e+X1E6lsFQSA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681273986; a=rsa-sha256; cv=none; b=JDjx2RZ3RSVp9ZgAU2qOJ1yWlNjrLai7fHzblYLDuxsj6+Esi8beBbfAiaOZwnVtRAKTr1 mmuJPYHmhrQP9FE2irKhBKKXWg/x49MPrXhAKlc2SiPW04q0PLVthKLhALyMuer9UTCrXX Ql2saC1O/oUItkqBcIn+MrOugj2OpyhcdbbkvNlrGggST4uXeeYyh67f1K/sWFjqMlL38Y W8YrmRfj2aSyZBUmOBNuCqDnCGdeuGAt2oteKPvgb/uUKNCbaXY3LsjpgzmTHQzRMGWdOB hphIuIY2pe7EnooA4fKmk35AeTxyNbDT2PLZ7vGTxaW0F8cT/kZfgbPc0iisjg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Px8w20cVczm3v; Wed, 12 Apr 2023 04:33:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33C4X64q014969; Wed, 12 Apr 2023 04:33:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33C4X6gG014968; Wed, 12 Apr 2023 04:33:06 GMT (envelope-from git) Date: Wed, 12 Apr 2023 04:33:06 GMT Message-Id: <202304120433.33C4X6gG014968@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Philip Paeps Subject: git: 33ab2b4a207f - main - security/vuxml: add another batch of pysec vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 33ab2b4a207f7a41d472f6d94259cc77d634dcb6 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=33ab2b4a207f7a41d472f6d94259cc77d634dcb6 commit 33ab2b4a207f7a41d472f6d94259cc77d634dcb6 Author: Hubert Tournier AuthorDate: 2023-04-12 04:30:21 +0000 Commit: Philip Paeps CommitDate: 2023-04-12 04:32:25 +0000 security/vuxml: add another batch of pysec vulnerabilities Vulnerable Python ports discovered with pysec2vuxml. See also: . PR: 270744 --- security/vuxml/vuln/2023.xml | 590 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 590 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 6a121ed3c137..09c522891c70 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,593 @@ + + py-beaker -- arbitrary code execution vulnerability + + + py37-beaker + py38-beaker + py39-beaker + py310-beaker + py311-beaker + 1.12.1 + + + + +

matheusbrat reports:

+
+

The Beaker library through 1.12.1 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.

+
+ + + + CVE-2013-7489 + https://osv.dev/vulnerability/PYSEC-2020-216 + + + 2020-06-26 + 2023-04-10 + + + + + py-psutil -- double free vulnerability + + + py37-psutil121 + py38-psutil121 + py39-psutil121 + py310-psutil121 + py311-psutil121 + 5.6.6 + + + + +

ret2libc reports:

+
+

psutil (aka python-psutil) through 5.6.5 can have a double free.

+

This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.

+
+ + + + CVE-2019-18874 + https://osv.dev/vulnerability/PYSEC-2019-41 + https://osv.dev/vulnerability/GHSA-qfc5-mcwq-26q8 + + + 2019-11-12 + 2023-04-10 + + + + + py-ansible -- multiple vulnerabilities + + + py37-ansible + py38-ansible + py39-ansible + py310-ansible + py311-ansible + 7.2.0 + + + + +

abeluck reports:

+
+

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed.

+

Files would remain in the bucket exposing the data.

+

This issue affects directly data confidentiality.

+
+
+

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers.

+

Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes.

+

This issue affects mainly the service availability.

+
+ + + + CVE-2020-25635 + https://osv.dev/vulnerability/PYSEC-2020-220 + CVE-2020-25636 + https://osv.dev/vulnerability/PYSEC-2020-221 + + + 2020-10-05 + 2023-04-10 + + + + + py-ansible -- data leak vulnerability + + + py37-ansible + py38-ansible + py39-ansible + py310-ansible + py311-ansible + 7.1.0 + + + + +

Tapas jena reports:

+
+

A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory.

+

Any secret information in an async status file will be readable by a malicious user on that system.

+

This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

+
+ + + + CVE-2021-3532 + https://osv.dev/vulnerability/PYSEC-2021-125 + + + 2021-06-09 + 2023-04-10 + + + + + py-kerberos -- DoS and MitM vulnerabilities + + + py37-kerberos + py38-kerberos + py39-kerberos + py310-kerberos + py311-kerberos + 1.3.1 + + + + +

macosforgebot reports:

+
+

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

+
+ + + + CVE-2015-3206 + https://osv.dev/vulnerability/PYSEC-2017-49 + + + 2017-08-25 + 2023-04-10 + + + + + py-cryptography -- includes a vulnerable copy of OpenSSL + + + py37-cryptography + py38-cryptography + py39-cryptography + py310-cryptography + py311-cryptography + 39.0.1 + + + + +
+

pyca/cryptography's wheels include a statically linked copy of OpenSSL.

+

The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue.

+

More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt.

+

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL.

+

Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

+
+ + + + CVE-2023-0286 + https://osv.dev/vulnerability/GHSA-x4qr-2fvf-3mr5 + + + 2023-02-08 + 2023-04-10 + + + + + py-cryptography -- allows programmers to misuse an API + + + py37-cryptography + py38-cryptography + py39-cryptography + py310-cryptography + py311-cryptography + 1.839.0.1 + + + + +

alex reports:

+
+

Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.

+

This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.

+

This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

+

This now correctly raises an exception.

+

This issue has been present since `update_into` was originally introduced in cryptography 1.8.

+
+ + + + CVE-2023-23931 + https://osv.dev/vulnerability/GHSA-w7pp-m8wf-vj6r + + + 2023-02-07 + 2023-04-10 + + + + + py-tensorflow -- denial of service vulnerability + + + py37-tensorflow + py38-tensorflow + py39-tensorflow + py310-tensorflow + py311-tensorflow + 2.8.4 + 2.9.02.9.3 + 2.10.02.10.1 + + + + +

Kang Hong Jin, Neophytos Christou, 刘力源 and Pattarakrit Rattankul report:

+
+

Another instance of CVE-2022-35935, where `SobolSample` is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.

+
+

Pattarakrit Rattankul reports:

+
+

Another instance of CVE-2022-35991, where `TensorListScatter` and `TensorListScatterV2` crash via non scalar inputs in`element_shape`, was found in eager mode and fixed.

+
+ + + + CVE-2022-35935 + https://osv.dev/vulnerability/GHSA-cqvq-fvhr-v6hc + CVE-2022-35991 + https://osv.dev/vulnerability/GHSA-xf83-q765-xm6m + + + 2022-11-21 + 2023-04-09 + + + + + py-tensorflow -- unchecked argument causing crash + + + py37-tensorflow + py38-tensorflow + py39-tensorflow + py310-tensorflow + py311-tensorflow + 2.7.2 + 2.8.02.8.1 + 2.9.02.9.2 + + + + +

Jingyi Shi reports:

+
+

The 'AvgPoolOp' function takes an argument `ksize` that must be positive but is not checked.

+

A negative `ksize` can trigger a `CHECK` failure and crash the program.

+
+ + + + CVE-2022-35941 + https://osv.dev/vulnerability/GHSA-mgmh-g2v6-mqw5 + + + 2022-09-16 + 2023-04-09 + + + + + py-pymatgen -- regular expression denial of service + + + py37-pymatgen + py38-pymatgen + py39-pymatgen + py310-pymatgen + py311-pymatgen + 2022.9.21 + + + + +
+

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.

+
+ + + + CVE-2022-42964 + https://osv.dev/vulnerability/GHSA-5jqp-885w-xj32 + + + 2022-11-10 + 2023-04-09 + + + + + py-nicotine-plus -- Denial of service vulnerability + + + py37-nicotine-plus + py38-nicotine-plus + py39-nicotine-plus + py310-nicotine-plus + py311-nicotine-plus + 3.2.1 + + + + +

ztauras reports:

+
+

Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.

+
+ + + + CVE-2021-45848 + https://osv.dev/vulnerability/GHSA-p4v2-r99v-wjc2 + + + 2022-03-16 + 2023-04-09 + + + + + py-slixmpp -- incomplete SSL certificate validation + + + py37-slixmpp + py38-slixmpp + py39-slixmpp + py310-slixmpp + py311-slixmpp + 1.8.3 + + + + +
+

Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.

+
+ + + + CVE-2022-45197 + https://osv.dev/vulnerability/GHSA-q6cq-m9gm-6q2f + + + 2022-12-25 + 2023-04-09 + + + + + py-suds -- vulnerable to symlink attacks + + + py37-suds + py38-suds + py39-suds + py310-suds + py311-suds + 1.1.2 + + + + +

SUSE reports:

+
+

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.

+
+ + + + CVE-2013-2217 + https://osv.dev/vulnerability/PYSEC-2013-32 + + + 2013-09-23 + 2023-04-09 + + + + + py-impacket -- multiple path traversal vulnerabilities + + + py37-impacket + py38-impacket + py39-impacket + py310-impacket + py311-impacket + 0.9.100.9.23 + + + + +

asolino reports:

+
+

Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.

+
+ + + + CVE-2021-31800 + https://osv.dev/vulnerability/PYSEC-2021-17 + https://osv.dev/vulnerability/GHSA-mj63-64x7-57xf + + + 2021-05-05 + 2023-04-09 + + + + + py-tflite -- buffer overflow vulnerability + + + py37-tflite + py38-tflite + py39-tflite + py310-tflite + py311-tflite + 2.8.4 + 2.9.02.9.3 + 2.10.02.10.1 + + + + +

Thibaut Goetghebuer-Planchon reports:

+
+

The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.

+

Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.

+

An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.

+

It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.

+

This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).

+
+ + + + CVE-2022-41894 + https://osv.dev/vulnerability/GHSA-h6q3-vv32-2cq5 + + + 2022-11-21 + 2023-04-09 + + + + + py-tflite -- denial of service vulnerability + + + py37-tflite + py38-tflite + py39-tflite + py310-tflite + py311-tflite + 2.3.4 + 2.4.02.4.3 + 2.5.02.5.1 + + + + +

Yakun Zhang of Baidu Security reports:

+
+

An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service

+
+ + + + CVE-2021-37689 + https://osv.dev/vulnerability/GHSA-wf5p-c75w-w3wh + + + 2021-08-25 + 2023-04-09 + + + + + py-cinder -- unauthorized data access + + + py37-cinder + py38-cinder + py39-cinder + py310-cinder + py311-cinder + 19.1.2 + 20.0.020.0.2 + + + + +

Utkarsh Gupta reports:

+
+

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0.

+

By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.

+
+ + + + CVE-2022-47951 + https://osv.dev/vulnerability/GHSA-7h75-hwxx-qpgc + + + 2023-01-27 + 2023-04-09 + + + + + py-cinder -- data leak + + + py37-cinder + py38-cinder + py39-cinder + py310-cinder + py311-cinder + 12.0.9 + 13.0.013.0.9 + 14.0.014.3.1 + 15.0.015.6.0 + 16.0.016.4.2 + 17.0.017.4.0 + 18.0.018.2.1 + 19.0.019.2.0 + 20.0.020.1.0 + 21.0.021.1.0 + 22.0.022.0.0.0rc2 + + + + +

Duncan Thomas reports:

+
+

The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.

+
+ + + + CVE-2014-3641 + https://osv.dev/vulnerability/GHSA-qhch-g8qr-p497 + + + 2022-05-17 + 2023-04-09 + + + traefik -- Use of vulnerable Go modules net/http, net/textproto