tiff vulnerability in ports?

Matthew Seaman matthew at FreeBSD.org
Fri Aug 5 13:36:13 UTC 2016

On 2016/08/05 13:55, alphachi wrote:
> Please see this link to get more information:
> https://svnweb.freebsd.org/ports?view=revision&revision=418585
> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav at gmail.com>:
>> This is perhaps a question for the tiff devs more than anything, but I
>> noticed that pkg audit has been complaining about libtiff (graphics/tiff)
>> for some time now.
>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>> apparently that version hasn't been released yet (according to
>> http://www.remotesensing.org/libtiff/, the latest stable release is still
>> 4.0.6).
>> Anyone know what's going on? Is there a release upcoming to fix this?

Yeah -- this vulnerability:


has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.

Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160805/aaacabaa/attachment.sig>

More information about the freebsd-questions mailing list