Bug 270744

Summary: security/vuxml: 20 new entries for vulnerable ports
Product: Ports & Packages Reporter: Hubert Tournier <hubert.tournier>
Component: Individual Port(s)Assignee: Philip Paeps <philip>
Status: Closed FIXED    
Severity: Affects Many People CC: 0mp, amzo1337, contato, dvl, grahamperrin, philip, ports-secteam, ports, python, sunpoet, swills, yuri
Priority: Normal Keywords: security
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/HubTou/pysec2vuxml
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270723
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270795
Attachments:
Description Flags
20 VuXML new entries for vulnerable ports
none
18 corrected VuXML new entries for vulnerable ports none

Description Hubert Tournier 2023-04-10 18:33:13 UTC 
Created attachment 241403 [details]
20 VuXML new entries for vulnerable ports

A second batch of new VuXML entries for vulnerable ports discovered with pysec2vuxml (see https://github.com/HubTou/pysec2vuxml).

Others will follow as soon as possible.

Entries were verified with:
# cd /usr/ports/security/vuxml
# make validate

Here are the ports affected with their respective maintainers:

-------------------------------------------------------------------------------------------------------------
Vulns Package           Port path                 Port name              Port version Maintainer             
-------------------------------------------------------------------------------------------------------------
2     cinder            misc/py-cinder            py39-cinder            12.0.10_22   sunpoet@FreeBSD.org    
2     tflite            misc/py-tflite            py39-tflite            2.3.0        yuri@FreeBSD.org       
2     impacket          net/py-impacket           py39-impacket          0.9.17_1     contato@kanazuchi.com  
1     suds              net/py-suds               py39-suds              1.1.2        sunpoet@FreeBSD.org    
1     slixmpp           net-im/py-slixmpp         py39-slixmpp           1.7.1        0mp@FreeBSD.org        
1     nicotine-plus     net-p2p/py-nicotine-plus  py39-nicotine-plus     3.2.0_1      ports@FreeBSD.org      
1     pymatgen          science/py-pymatgen       py39-pymatgen          2022.7.19    yuri@FreeBSD.org       
3     tensorflow        science/py-tensorflow     py39-tensorflow        2.9.1_5      amzo1337@gmail.com     
2     cryptography      security/py-cryptography  py39-cryptography      3.4.8_1,1    sunpoet@FreeBSD.org    
1     kerberos          security/py-kerberos      py39-kerberos          1.3.1        dvl@FreeBSD.org        
6     pysaml2           security/py-pysaml24      py39-pysaml24          4.9.0_1      sunpoet@FreeBSD.org    
3     ansible           sysutils/ansible          py39-ansible           7.1.0        0mp@FreeBSD.org        
2     psutil            sysutils/py-psutil121     py39-psutil121         1.2.1_2      swills@FreeBSD.org     
1     beaker            www/py-beaker             py39-beaker            1.12.1       python@FreeBSD.org      
=============================================================================================================
Python packages's FreeBSD ports = 4127
  vulnerable ports              = 41	(14 in this batch)
  vulnerable ports/version      = 46	(14 in this batch)
    vulnerabilities             = 140	(28 in this batch)
-------------------------------------------------------------------------------------------------------------
Comment 1 Dan Langille freebsd_committer freebsd_triage 2023-04-10 22:49:42 UTC 
Not aimed at OP: How can <name>py39-kerberos</name> get all such packages? What if they're running py37? For example...
Comment 2 Hubert Tournier 2023-04-11 16:03:29 UTC 
(In reply to Dan Langille from comment #1)
Right! I was also wondering if it was the correct way to do this but assumed going for the default Python version would do. I found examples of how to do it properly in previous VuXML entries.
I'll be submitting a new replacement attachment in this hour.
Comment 3 Hubert Tournier 2023-04-11 16:33:59 UTC 
Created attachment 241423 [details]
18 corrected VuXML new entries for vulnerable ports

Fixes coverage of other Python versions, taking into account Dan Langille's comment.

I removed the 2 py-pysaml24 vulnerabilities which should update 2 previously reported py-pysaml2 vulnerabilities. I'll submit another patch for that later.
Comment 4 Philip Paeps freebsd_committer freebsd_triage 2023-04-12 04:19:06 UTC 
Listing the flavours that currently exist leaves open the possibility that someone installs a vulnerable package for a future flavour of Python -- one that does not yet exist at the time the vulnerability is recorded.

The long-term solution would be for "pkg audit" to become aware of flavours.

For now, I think your proposed patch is good enough.
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-04-12 04:34:08 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=33ab2b4a207f7a41d472f6d94259cc77d634dcb6

commit 33ab2b4a207f7a41d472f6d94259cc77d634dcb6
Author:     Hubert Tournier <hubert.tournier@gmail.com>
AuthorDate: 2023-04-12 04:30:21 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-04-12 04:32:25 +0000

    security/vuxml: add another batch of pysec vulnerabilities

    Vulnerable Python ports discovered with pysec2vuxml.
    See also: <https://github.com/HubTou/pysec2vuxml>.

    PR:     270744

 security/vuxml/vuln/2023.xml | 590 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 590 insertions(+)
Comment 6 Dan Langille freebsd_committer freebsd_triage 2023-04-12 11:39:22 UTC 
(In reply to Philip Paeps from comment #4)
Flavors and versions?