Date: Sun, 7 Jun 2026 17:22:58 +0200 From: Daniel Engberg <diizzy@FreeBSD.org> To: freebsd-python@freebsd.org Cc: Michael Gmelin <grembo@FreeBSD.org> Subject: Re: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 Message-ID: <fc6966ae-f4df-46ed-bff7-a15d41ebce5e@FreeBSD.org>
index | next in thread | raw e-mail
[-- Attachment #1 --] > From: Michael Gmelin <grembo_at_freebsd.org> > Date: Sat, 06 Jun 2026 18:52:15 UTC > > > On 6. Jun 2026, at 19:56, Charlie Li <vishwin@freebsd.org> wrote: > > > > Michael Gmelin wrote: > >> Hi, > >> This probably affects a large number of python ports which won't build > >> due to the vulnerability in the build dependency. > > This is a tricky situation because not every consumer can use the > latest setuptools, not least due to various breaking functional changes. > Even after we finish the latest effort of the setuptools effort (massive > is an understatement), there will probably still be a need to keep older > versions around. > > > > As for this specific vulnerability, it is not exploitable to how we > (ports) build Python packages, since the affected mechanism is > setuptools's own PyPI fetching mechanism which we do not use (we have > our own do-fetch via fetch(1) et al). Further, the source file this was > found in is an already deprecated module package_index, about whose only > consumer is another deprecated entry point easy_install. We don't use > those in ports either. And even in the case of a Python virtual > environment, the system Python packages are not used by default, and pip > will download the latest setuptools if needed. > > > > In all, this vuxml entry was not added or reviewed by the python@ > team, especially not for applicability to actual use cases. > > > > Almost figured that by the tone of the commit message. > > Would it be reasonable to patch all the versions of setuptools we have > in use (I didn’t look at the details of the vulnerability to understand > how complex such a fix would be)? > > Cheers > There's nothing to review, it's valid. There are also multiple security issues with Python itself and related ports but progress gets blocked or moves at a glacial pace. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470 To mention a few You might also want to consider the view on security by reading comments in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391 Looking at git history none of listed VuXML entries related to Python have been initially added by the "Python team" for the past 2 years and there certainly have been relevant CVEs issued during that time. https://github.com/psf/advisory-database/tree/main/advisories/python Security overall isn't a priority in the ports tree, bofh@ made a very good talk about it last year and so far little response unfortunately https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s . Security vulnerabilities are in general poorly tracked due to multiple issues, maintainer time, interest, adding entries are time consuming and so on. Repology lists about 400 ports as "Potentially vulnerable" but there are likely some mismatches, a lot of ports aren't tracked/matched with upstream projects correctly or simply very outdated/EOL/discontinued upstream so they lack any (active) reviewing. Additionally it also lists about 6.5k ports as out of date which probably isn't too far off. If security is a priority you likely want to review the ports you use and consider using an overlay/fork the ports tree. Best regards, Daniel [-- Attachment #2 --] <!DOCTYPE html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body> <span style="white-space: pre-wrap; display: block; width: 98vw;">> From: Michael Gmelin <grembo_at_freebsd.org> > Date: Sat, 06 Jun 2026 18:52:15 UTC > > > On 6. Jun 2026, at 19:56, Charlie Li <a class="moz-txt-link-rfc2396E" href="mailto:vishwin@freebsd.org"><vishwin@freebsd.org></a> wrote: > > > > Michael Gmelin wrote: > >> Hi, > >> This probably affects a large number of python ports which won't build > >> due to the vulnerability in the build dependency. > > This is a tricky situation because not every consumer can use the > latest setuptools, not least due to various breaking functional changes. > Even after we finish the latest effort of the setuptools effort (massive > is an understatement), there will probably still be a need to keep older > versions around. > > > > As for this specific vulnerability, it is not exploitable to how we > (ports) build Python packages, since the affected mechanism is > setuptools's own PyPI fetching mechanism which we do not use (we have > our own do-fetch via fetch(1) et al). Further, the source file this was > found in is an already deprecated module package_index, about whose only > consumer is another deprecated entry point easy_install. We don't use > those in ports either. And even in the case of a Python virtual > environment, the system Python packages are not used by default, and pip > will download the latest setuptools if needed. > > > > In all, this vuxml entry was not added or reviewed by the python@ > team, especially not for applicability to actual use cases. > > > > Almost figured that by the tone of the commit message. > > Would it be reasonable to patch all the versions of setuptools we have > in use (I didn’t look at the details of the vulnerability to understand > how complex such a fix would be)? > > Cheers > There's nothing to review, it's valid. There are also multiple security issues with Python itself and related ports but progress gets blocked or moves at a glacial pace. <a class="moz-txt-link-freetext" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673</a>; <a class="moz-txt-link-freetext" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671</a>; <a class="moz-txt-link-freetext" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358</a>; <a class="moz-txt-link-freetext" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470</a>; To mention a few You might also want to consider the view on security by reading comments in <a class="moz-txt-link-freetext" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391</a>; Looking at git history none of listed VuXML entries related to Python have been initially added by the "Python team" for the past 2 years and there certainly have been relevant CVEs issued during that time. <a class="moz-txt-link-freetext" href="https://github.com/psf/advisory-database/tree/main/advisories/python">https://github.com/psf/advisory-database/tree/main/advisories/python</a>; Security overall isn't a priority in the ports tree, bofh@ made a very good talk about it last year and so far little response unfortunately <a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s">https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s</a>; . Security vulnerabilities are in general poorly tracked due to multiple issues, maintainer time, interest, adding entries are time consuming and so on. Repology lists about 400 ports as "Potentially vulnerable" but there are likely some mismatches, a lot of ports aren't tracked/matched with upstream projects correctly or simply very outdated/EOL/discontinued upstream so they lack any (active) reviewing. Additionally it also lists about 6.5k ports as out of date which probably isn't too far off. If security is a priority you likely want to review the ports you use and consider using an overlay/fork the ports tree. Best regards, Daniel</span> </body> </html>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fc6966ae-f4df-46ed-bff7-a15d41ebce5e>