270744 – security/vuxml: 20 new entries for vulnerable ports

Bug 270744 - security/vuxml: 20 new entries for vulnerable ports

Summary: security/vuxml: 20 new entries for vulnerable ports

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Philip Paeps

URL:	https://github.com/HubTou/pysec2vuxml
Keywords:	security

Depends on:
Blocks:

Reported:	2023-04-10 18:33 UTC by Hubert Tournier
Modified:	2023-04-12 17:25 UTC (History)
CC List:	12 users (show)

See Also:	270723 270795

Attachments
20 VuXML new entries for vulnerable ports (23.82 KB, text/plain) 2023-04-10 18:33 UTC, Hubert Tournier	no flags	Details
18 corrected VuXML new entries for vulnerable ports (22.49 KB, text/plain) 2023-04-11 16:33 UTC, Hubert Tournier	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hubert Tournier 2023-04-10 18:33:13 UTC

Created attachment 241403 [details]
20 VuXML new entries for vulnerable ports

A second batch of new VuXML entries for vulnerable ports discovered with pysec2vuxml (see https://github.com/HubTou/pysec2vuxml).

Others will follow as soon as possible.

Entries were verified with:
# cd /usr/ports/security/vuxml
# make validate

Here are the ports affected with their respective maintainers:

-------------------------------------------------------------------------------------------------------------
Vulns Package           Port path                 Port name              Port version Maintainer             
-------------------------------------------------------------------------------------------------------------
2     cinder            misc/py-cinder            py39-cinder            12.0.10_22   sunpoet@FreeBSD.org    
2     tflite            misc/py-tflite            py39-tflite            2.3.0        yuri@FreeBSD.org       
2     impacket          net/py-impacket           py39-impacket          0.9.17_1     contato@kanazuchi.com  
1     suds              net/py-suds               py39-suds              1.1.2        sunpoet@FreeBSD.org    
1     slixmpp           net-im/py-slixmpp         py39-slixmpp           1.7.1        0mp@FreeBSD.org        
1     nicotine-plus     net-p2p/py-nicotine-plus  py39-nicotine-plus     3.2.0_1      ports@FreeBSD.org      
1     pymatgen          science/py-pymatgen       py39-pymatgen          2022.7.19    yuri@FreeBSD.org       
3     tensorflow        science/py-tensorflow     py39-tensorflow        2.9.1_5      amzo1337@gmail.com     
2     cryptography      security/py-cryptography  py39-cryptography      3.4.8_1,1    sunpoet@FreeBSD.org    
1     kerberos          security/py-kerberos      py39-kerberos          1.3.1        dvl@FreeBSD.org        
6     pysaml2           security/py-pysaml24      py39-pysaml24          4.9.0_1      sunpoet@FreeBSD.org    
3     ansible           sysutils/ansible          py39-ansible           7.1.0        0mp@FreeBSD.org        
2     psutil            sysutils/py-psutil121     py39-psutil121         1.2.1_2      swills@FreeBSD.org     
1     beaker            www/py-beaker             py39-beaker            1.12.1       python@FreeBSD.org      
=============================================================================================================
Python packages's FreeBSD ports = 4127
  vulnerable ports              = 41	(14 in this batch)
  vulnerable ports/version      = 46	(14 in this batch)
    vulnerabilities             = 140	(28 in this batch)
-------------------------------------------------------------------------------------------------------------

Comment 1 Dan Langille freebsd_committer

2023-04-10 22:49:42 UTC

Not aimed at OP: How can <name>py39-kerberos</name> get all such packages? What if they're running py37? For example...

Comment 2 Hubert Tournier 2023-04-11 16:03:29 UTC

(In reply to Dan Langille from comment #1)
Right! I was also wondering if it was the correct way to do this but assumed going for the default Python version would do. I found examples of how to do it properly in previous VuXML entries.
I'll be submitting a new replacement attachment in this hour.

Comment 3 Hubert Tournier 2023-04-11 16:33:59 UTC

Created attachment 241423 [details]
18 corrected VuXML new entries for vulnerable ports

Fixes coverage of other Python versions, taking into account Dan Langille's comment.

I removed the 2 py-pysaml24 vulnerabilities which should update 2 previously reported py-pysaml2 vulnerabilities. I'll submit another patch for that later.

Comment 4 Philip Paeps freebsd_committer

2023-04-12 04:19:06 UTC

Listing the flavours that currently exist leaves open the possibility that someone installs a vulnerable package for a future flavour of Python -- one that does not yet exist at the time the vulnerability is recorded.

The long-term solution would be for "pkg audit" to become aware of flavours.

For now, I think your proposed patch is good enough.

Comment 5 commit-hook freebsd_committer

2023-04-12 04:34:08 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=33ab2b4a207f7a41d472f6d94259cc77d634dcb6

commit 33ab2b4a207f7a41d472f6d94259cc77d634dcb6
Author:     Hubert Tournier <hubert.tournier@gmail.com>
AuthorDate: 2023-04-12 04:30:21 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-04-12 04:32:25 +0000

    security/vuxml: add another batch of pysec vulnerabilities

    Vulnerable Python ports discovered with pysec2vuxml.
    See also: <https://github.com/HubTou/pysec2vuxml>.

    PR:     270744

 security/vuxml/vuln/2023.xml | 590 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 590 insertions(+)

Comment 6 Dan Langille freebsd_committer

2023-04-12 11:39:22 UTC

(In reply to Philip Paeps from comment #4)
Flavors and versions?