CVE-2013-2217

[existful]

Hello,

Could one of the maintainers come up with a fix for this CVE?

py39-suds-1.1.2 is vulnerable:
py-suds -- vulnerable to symlink attacks
CVE: CVE-2013-2217
WWW: https://vuxml.FreeBSD.org/freebsd/b31f7029-817c-4c1f-b7d3-252de5283393.html

Thanks.

[phillbaker]

This was addressed a long time ago, please see the change log: https://github.com/suds-community/suds/blob/master/CHANGELOG.md#version-070-2018-09-29 What leads you to believe the issue is not fixed?

…

On Fri, Jun 23, 2023 at 10:00 AM existful ***@***.***> wrote: Hello, Could one of the maintainers come up with a fix for this CVE? py39-suds-1.1.2 is vulnerable: py-suds -- vulnerable to symlink attacks CVE: CVE-2013-2217 WWW: https://vuxml.FreeBSD.org/freebsd/b31f7029-817c-4c1f-b7d3-252de5283393.html Thanks. — Reply to this email directly, view it on GitHub <#94>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAXCKKEEZRRBH4WKQXGF2DXMWOPVANCNFSM6AAAAAAZRTOYLU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[existful]

After installing the net/py-suds port, the vulmx entry appears.

[08:37] [vr0@yggdrasil]-[~]: doas pkg audit

py39-suds-1.1.2 is vulnerable:
py-suds -- vulnerable to symlink attacks
CVE: CVE-2013-2217
WWW: https://vuxml.FreeBSD.org/freebsd/b31f7029-817c-4c1f-b7d3-252de5283393.html

1 problem(s) in 1 installed package(s) found

Here the database entry from 2023-04-09 in the FreeBSD ports (pkg audit) and the associated commit:

https://cgit.freebsd.org/ports/commit/?id=33ab2b4a207f7a41d472f6d94259cc77d634dcb6

[phillbaker]

Please clarify what upstream fork of suds that package is using (it looks like py-suds, a separate fork from this based on the name). As well, this repository does not control the packaging or release process of packages outside of what is pushed to Pypi. You will likely need to file an issue with whatever distribution or system is publishing that package.

…

On Sat, Jun 24, 2023 at 2:40 AM existful ***@***.***> wrote: After installing the net/py-suds port, the vulmx entry appears. [08:37] ***@***.***-[~]: doas pkg audit py39-suds-1.1.2 is vulnerable: py-suds -- vulnerable to symlink attacks CVE: CVE-2013-2217 WWW: https://vuxml.FreeBSD.org/freebsd/b31f7029-817c-4c1f-b7d3-252de5283393.html 1 problem(s) in 1 installed package(s) found Here the database entry from 2023-04-09 in the FreeBSD ports (pkg audit) and the associated commit: https://cgit.freebsd.org/ports/commit/?id=33ab2b4a207f7a41d472f6d94259cc77d634dcb6 — Reply to this email directly, view it on GitHub <#94 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAXCKPUOMKKOBBEDMTUATTXM2DXBANCNFSM6AAAAAAZRTOYLU> . You are receiving this because you commented.Message ID: ***@***.***>

[existful]

It looks like the right upsteam, the source comes from PyPi https://pypi.org/project/suds/#files

SHA256 hash are identical.

/usr/ports/net/py-suds/Makefile

PORTNAME=       suds
PORTVERSION=    1.1.2
CATEGORIES=     net python
MASTER_SITES=   PYPI
PKGNAMEPREFIX=  ${PYTHON_PKGNAMEPREFIX}

MAINTAINER=     sunpoet@FreeBSD.org
COMMENT=        Lightweight SOAP client (community fork)
WWW=            https://github.com/suds-community/suds

LICENSE=        LGPL3
LICENSE_FILE=   ${WRKSRC}/LICENSE.txt

USES=           python:3.6+
USE_PYTHON=     autoplist concurrent distutils pytest

NO_ARCH=        yes

.include <bsd.port.mk>

/usr/ports/net/py-suds/distinfo

TIMESTAMP = 1656522306
SHA256 (suds-1.1.2.tar.gz) = 1d5cfa74117193b244a4233f246c483d9f41198b448c5f14a8bad11c4f649f2b
SIZE (suds-1.1.2.tar.gz) = 285336

[phillbaker]

The page at https://vuxml.freebsd.org/freebsd/b31f7029-817c-4c1f-b7d3-252de5283393.html points to https://osv.dev/vulnerability/PYSEC-2013-32 which points to https://github.com/pypa/advisory-database/blob/main/vulns/suds/PYSEC-2013-32.yaml It’s not clear exactly how the repository at pypa/advisory-database creates a list of affected versions but that report references the similar GitHub security advisory which does correctly show version 1.0 as having the fix: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vpqp-hx68-p2wx/GHSA-vpqp-hx68-p2wx.json My suggestion would be to open an issue on https://github.com/pypa/advisory-database as it looks like the PYSEC-2013-32 <https://github.com/pypa/advisory-database/blob/main/vulns/suds/PYSEC-2013-32.yaml> is not correct.

…

On Sat, Jun 24, 2023 at 2:13 PM existful ***@***.***> wrote: It looks like the right upsteam, the source comes from PyPi https://pypi.org/project/suds/#files SHA256 hash are identical. /usr/ports/net/py-suds/Makefile PORTNAME= suds PORTVERSION= 1.1.2 CATEGORIES= net python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= ***@***.*** COMMENT= Lightweight SOAP client (community fork) WWW= https://github.com/suds-community/suds LICENSE= LGPL3 LICENSE_FILE= ${WRKSRC}/LICENSE.txt USES= python:3.6+ USE_PYTHON= autoplist concurrent distutils pytest NO_ARCH= yes .include <bsd.port.mk> /usr/ports/net/py-suds/distinfo TIMESTAMP = 1656522306 SHA256 (suds-1.1.2.tar.gz) = 1d5cfa74117193b244a4233f246c483d9f41198b448c5f14a8bad11c4f649f2b SIZE (suds-1.1.2.tar.gz) = 285336 — Reply to this email directly, view it on GitHub <#94 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAXCKNJB5VOCDKMIV6XRWTXM4U5PANCNFSM6AAAAAAZRTOYLU> . You are receiving this because you commented.Message ID: ***@***.***>