From nobody Sun Mar 26 10:21:51 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PksSX5wFfz41cXk for ; Sun, 26 Mar 2023 10:22:04 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PksSW5Z3hz4LJd for ; Sun, 26 Mar 2023 10:22:03 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=GdSpiWAM; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::112b) smtp.mailfrom=tomek@cedro.info; dmarc=none Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5418d54d77bso117662147b3.12 for ; Sun, 26 Mar 2023 03:22:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1679826123; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jW+5UNK9LERxE9I/8wEmonXlXwVoRjAQC9eYToFoagM=; b=GdSpiWAMkBaazMS2FWJH2Q5waGAfAflhbXj3lZKHpFBaZgXv6YT2eVxdTFhWMX3HY4 +VZVaPd3C0/+I97NBzG0MzoFrZGEPfzAqwYoljpavxh6LSCk2xwvlQpWhbyMfsOcjYFf Hbf6IW9Rm57sPbSr2WS1ZeWHZ458NsO5jKTgpxAL4TRXbL0VrEYXKah8d/GXYV3+ACn1 0TdnIb7iZaqSZmd9E8Qv8hcDBMDBEXH7ZgFY5tMVargcHSGKC1g2UgGJPnSWQoKO+iCI kltNggfNiiGFQgUOYkXVrPlkyVK3L40I1Dzdk6LUlpmICE1igQmIl26yyoAC1rNXLdqg suQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679826123; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jW+5UNK9LERxE9I/8wEmonXlXwVoRjAQC9eYToFoagM=; b=imAhJHWavURZTpv76hF3Jpn6IdRLzc1w/lpJpshmkjUStztBbDqSYSvRy7q3kqFQ7a bcObluOjTtDomKk0nMUlTjO+FtFIwpffB/+AfRHDH5KoiWs3foHTejl2oioVCZ7R+A7t 0puycWCvGUoX8w95Q6KP6kxlttMiAnn562IAEIcWMoyKUH2UG+yE+bMOfInqfC4beshd 8IU9b9WqGvOpfDhgPViIm3QqEPmam2argbsRiL9uMw/N6u4WHJ8IMFtDMQeB5DKZWSde NNAPi+USiPoxv6O4YamaCZFlT9BSSXZLKx7LLbov7TYCXZpq54fTHScA809232NsQV9t 0cUw== X-Gm-Message-State: AAQBX9c49I6/h/mmoCf3FsRlNQ1SI8W+qrm8v3Wqp8EbMPxaBBPOeNNJ 4yEAP1MHllJpSI+pzt99J2sfFQ1Uo9nrVY4Mv0g= X-Google-Smtp-Source: AKy350azovlbiRpcyJMP0qWLGXxnFx5KO3xLaaxMYkKbMXkKzBKEj1fx0EJ+AHUPdkAoYpnh6NaA0Q== X-Received: by 2002:a81:7d86:0:b0:543:6327:8d51 with SMTP id y128-20020a817d86000000b0054363278d51mr8096702ywc.15.1679826122911; Sun, 26 Mar 2023 03:22:02 -0700 (PDT) Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com. [209.85.128.174]) by smtp.gmail.com with ESMTPSA id db17-20020a05690c0dd100b00545a08184eesm1413326ywb.126.2023.03.26.03.22.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 26 Mar 2023 03:22:02 -0700 (PDT) Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-5419d4c340aso117691747b3.11; Sun, 26 Mar 2023 03:22:02 -0700 (PDT) X-Received: by 2002:a81:c94d:0:b0:541:6941:5aa8 with SMTP id c13-20020a81c94d000000b0054169415aa8mr3512212ywl.7.1679826122117; Sun, 26 Mar 2023 03:22:02 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Tomek CEDRO Date: Sun, 26 Mar 2023 12:21:51 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: 45 vulnerable ports unreported in VuXML To: Hubert Tournier Cc: freebsd-python@freebsd.org, freebsd-security Content-Type: multipart/alternative; boundary="0000000000004b192f05f7caff46" X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; R_SPF_NA(0.00)[no SPF record]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::112b:from]; MLMMJ_DEST(0.00)[FreeBSD-security@freebsd.org]; FREEMAIL_TO(0.00)[gmail.com]; DKIM_TRACE(0.00)[cedro.info:+]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TAGGED_RCPT(0.00)[]; DMARC_NA(0.00)[cedro.info]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4PksSW5Z3hz4LJd X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --0000000000004b192f05f7caff46 Content-Type: text/plain; charset="UTF-8" On Sun, Mar 26, 2023, 12:17 Hubert Tournier wrote: > Hello, > > While working on pipinfo , an > alternative Python packages management tool, I noticed that some Python > packages installed as FreeBSD ports where marked as vulnerable by the Python > Packaging Authority > > but not in FreeBSD VuXML ports > security database. > > So I made a pysec2vuxml tool to > check the 4.000+ FreeBSD ports for Python packages and found 45 of them > vulnerable and unreported > . > > I started producing new VuXML entries > > for these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > In order to verify if these vulnerable ports where also marked as > vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got > carried away writing a whole utility, vuxml > , to demonstrate its use. This could be > of general interest to some of you? > > Best regards, > > PS: this approach could be extended to Rust crates, Ruby gems and so on > with the vulnerabilities described in the OSV ... > Sounds great and worth adding to the infra..? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info > --0000000000004b192f05f7caff46 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, Mar = 26, 2023, 12:17 Hubert Tournier wrote:
=
Hello,

While working on=20 pipinfo, an alternative Python packages management tool, I noti= ced that some Python packages installed as FreeBSD ports where marked as vulnerable by the Python Packaging Authority but not in Free= BSD VuXML ports security database.

So I made a pysec2vuxml tool to check= the 4.000+ FreeBSD ports for Python packages and found 45 of them vulnerable and unreported.

I started producing new VuXML= entries for these vulnerable ports. Please tell me if it's wort= h pursuing this effort?

In order to verify if th= ese vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, vuxml, to demonstra= te its use. This could be of general interest to some of you?

Bes= t regards,

PS: this approach could be extended to Rust crates, Ru= by gems and so on with the vulnerabilities described in the OSV...

=

Sounds great and worth adding to the infra..? :-)

--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info

--0000000000004b192f05f7caff46--