Date: Tue, 4 Apr 2023 12:31:25 +0200 From: Hubert Tournier <hubert.tournier@gmail.com> To: FreeBSD-security@freebsd.org, Hubert Tournier <hubert.tournier@gmail.com> Subject: Re: 45 vulnerable ports unreported in VuXML Message-ID: <CADr%2Bmw86a4XmRvmTPp%2B4GUN7c90C_suzK4bm2M7p6QUWY-M-Fw@mail.gmail.com> In-Reply-To: <ZCv00k-jL__tYYWG@int21h> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> <ZCv00k-jL__tYYWG@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000141ab805f8802eac Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I=E2=80=99m OK to do the OSV tool. Best regards, Le mar. 4 avr. 2023 =C3=A0 11:58, void <void@f-m.fm> a =C3=A9crit : > On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: > >Hello, > > > >While working on pipinfo <https://github.com/HubTou/pipinfo>, an > >alternative Python packages management tool, I noticed that some Python > >packages installed as FreeBSD ports where marked as vulnerable by the > Python > >Packaging Authority > ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities= > > >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; port= s > >security database. > > > >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to > >check the 4.000+ FreeBSD ports for Python packages and found 45 of them > >vulnerable and unreported > ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > > > >I started producing new VuXML entries > ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; > for > >these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > > >In order to verify if these vulnerable ports where also marked as > >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and > got > >carried away writing a whole utility, vuxml > ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be > of > >general interest to some of you? > > > >Best regards, > > > >PS: this approach could be extended to Rust crates, Ruby gems and so on > >with the vulnerabilities described in the OSV <https://osv.dev/>... > > +1 ^^^ really good idea > > Probably best to ask in freebsd-hackers@ as devs are likely to > read this there > -- > --000000000000141ab805f8802eac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto">I=E2=80=99m OK to do the OSV tool.</div><div dir=3D"auto"= ><br></div><div dir=3D"auto">Best regards,</div><div><br><div class=3D"gmai= l_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0mar. 4 avr. 2023 =C3= =A0 11:58, void <<a href=3D"mailto:void@f-m.fm">void@f-m.fm</a>> a = =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margi= n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Mar 26, 2= 023 at 12:16:53PM +0200, Hubert Tournier wrote:<br> >Hello,<br> ><br> >While working on pipinfo <<a href=3D"https://github.com/HubTou/pipin= fo" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pipinfo<= /a>>, an<br> >alternative Python packages management tool, I noticed that some Python= <br> >packages installed as FreeBSD ports where marked as vulnerable by the P= ython<br> >Packaging Authority<br> ><<a href=3D"https://warehouse.pypa.io/api-reference/json.html#known-= vulnerabilities" rel=3D"noreferrer" target=3D"_blank">https://warehouse.pyp= a.io/api-reference/json.html#known-vulnerabilities</a>><br> >but not in FreeBSD VuXML <<a href=3D"https://www.vuxml.org/freebsd/i= ndex.html" rel=3D"noreferrer" target=3D"_blank">https://www.vuxml.org/freeb= sd/index.html</a>> ports<br> >security database.<br> ><br> >So I made a pysec2vuxml <<a href=3D"https://github.com/HubTou/pysec2= vuxml" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec= 2vuxml</a>> tool to<br> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them= <br> >vulnerable and unreported<br> ><<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/results.= txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTou/pysec2v= uxml/blob/main/results.txt</a>>.<br> ><br> >I started producing new VuXML entries<br> ><<a href=3D"https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_ne= wentries.txt" rel=3D"noreferrer" target=3D"_blank">https://github.com/HubTo= u/pysec2vuxml/blob/main/vuxml_newentries.txt</a>> for<br> >these vulnerable ports. *Please tell me if it's worth pursuing this= effort?*<br> ><br> >In order to verify if these vulnerable ports where also marked as<br> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and= got<br> >carried away writing a whole utility, vuxml<br> ><<a href=3D"https://github.com/HubTou/vuxml" rel=3D"noreferrer" targ= et=3D"_blank">https://github.com/HubTou/vuxml</a>>, to demonstrate its u= se. This could be of<br> >general interest to some of you?<br> ><br> >Best regards,<br> ><br> >PS: this approach could be extended to Rust crates, Ruby gems and so on= <br> >with the vulnerabilities described in the OSV <<a href=3D"https://os= v.dev/" rel=3D"noreferrer" target=3D"_blank">https://osv.dev/</a>>...<br= > <br> +1 ^^^ really good idea<br> <br> Probably best to ask in freebsd-hackers@ as devs are likely to <br> read this there<br> -- <br> </blockquote></div></div> --000000000000141ab805f8802eac--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADr%2Bmw86a4XmRvmTPp%2B4GUN7c90C_suzK4bm2M7p6QUWY-M-Fw>