Date: Sun, 26 Mar 2023 12:21:51 +0200 From: Tomek CEDRO <tomek@cedro.info> To: Hubert Tournier <hubert.tournier@gmail.com> Cc: freebsd-python@freebsd.org, freebsd-security <FreeBSD-security@freebsd.org> Subject: Re: 45 vulnerable ports unreported in VuXML Message-ID: <CAFYkXjnmxNh1EYRQHPYJbEAQegNoSERWGRE1HftyyiYwa3K6DA@mail.gmail.com> In-Reply-To: <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000004b192f05f7caff46 Content-Type: text/plain; charset="UTF-8" On Sun, Mar 26, 2023, 12:17 Hubert Tournier wrote: > Hello, > > While working on pipinfo <https://github.com/HubTou/pipinfo>, an > alternative Python packages management tool, I noticed that some Python > packages installed as FreeBSD ports where marked as vulnerable by the Python > Packaging Authority > <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>; > but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; ports > security database. > > So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to > check the 4.000+ FreeBSD ports for Python packages and found 45 of them > vulnerable and unreported > <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > > I started producing new VuXML entries > <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; > for these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > In order to verify if these vulnerable ports where also marked as > vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got > carried away writing a whole utility, vuxml > <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be > of general interest to some of you? > > Best regards, > > PS: this approach could be extended to Rust crates, Ruby gems and so on > with the vulnerabilities described in the OSV <https://osv.dev/>... > Sounds great and worth adding to the infra..? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info > --0000000000004b192f05f7caff46 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto"><div><div data-smartmail=3D"gmail_signature">On Sun, Mar = 26, 2023, 12:17 Hubert Tournier wrote:<br></div><div class=3D"gmail_quote">= <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><div dir=3D"ltr">Hello,<div class=3D"gmail_q= uote"><div dir=3D"ltr"><div><br></div><div>While working on=20 <a href=3D"https://github.com/HubTou/pipinfo" target=3D"_blank" rel=3D"nore= ferrer">pipinfo</a>, an alternative Python packages management tool, I noti= ced that some Python packages installed as FreeBSD ports where marked as vulnerable by the <a href=3D"https://warehouse.pypa.io/api-= reference/json.html#known-vulnerabilities" target=3D"_blank" rel=3D"norefer= rer">Python Packaging Authority</a> but not in <a href=3D"https://www.vuxml= .org/freebsd/index.html" rel=3D"nofollow noreferrer" target=3D"_blank">Free= BSD VuXML</a> ports security database. </div><p dir=3D"auto">So I made a <a href=3D"https://github.com/HubTou/pyse= c2vuxml" target=3D"_blank" rel=3D"noreferrer">pysec2vuxml</a> tool to check= the 4.000+ FreeBSD ports for Python packages and found <a href=3D"https://= github.com/HubTou/pysec2vuxml/blob/main/results.txt" target=3D"_blank" rel= =3D"noreferrer">45 of them vulnerable and unreported</a>.</p> <p>I started producing <a href=3D"https://github.com/HubTou/pysec2vuxml/blo= b/main/vuxml_newentries.txt" target=3D"_blank" rel=3D"noreferrer">new VuXML= entries</a> for these vulnerable ports. <b>Please tell me if it's wort= h pursuing this effort?</b><br></p><p dir=3D"auto">In order to verify if th= ese vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, <a href=3D"https://github.com= /HubTou/vuxml" target=3D"_blank" rel=3D"noreferrer">vuxml</a>, to demonstra= te its use. This could be of general interest to some of you?<br></p><p>Bes= t regards,<br></p><p>PS: this approach could be extended to Rust crates, Ru= by gems and so on with the vulnerabilities described in the <a href=3D"http= s://osv.dev/" target=3D"_blank" rel=3D"noreferrer">OSV</a>...<br></p></div>= </div></div></blockquote></div></div><div dir=3D"auto"><br></div><div dir= =3D"auto">Sounds great and worth adding to the infra..? :-)</div><div dir= =3D"auto"><br></div><div dir=3D"auto">--<br>CeDeROM, SQ7MHZ, <a href=3D"htt= p://www.tomek.cedro.info">http://www.tomek.cedro.info</a><br></div><div dir= =3D"auto"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" styl= e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div di= r=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr"><p></p></div> </div></div> </blockquote></div></div></div> --0000000000004b192f05f7caff46--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYkXjnmxNh1EYRQHPYJbEAQegNoSERWGRE1HftyyiYwa3K6DA>