tiff vulnerability in ports?

Kevin Oberman rkoberman at gmail.com
Sat Aug 6 00:51:12 UTC 2016


On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkoberman at gmail.com> wrote:

> On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <koobs at freebsd.org> wrote:
>
>> On 5/08/2016 11:35 PM, Matthew Seaman wrote:
>> > On 2016/08/05 13:55, alphachi wrote:
>> >> Please see this link to get more information:
>> >>
>> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585
>> >>
>> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav at gmail.com>:
>> >>
>> >>> This is perhaps a question for the tiff devs more than anything, but I
>> >>> noticed that pkg audit has been complaining about libtiff
>> (graphics/tiff)
>> >>> for some time now.
>> >>>
>> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>> >>> apparently that version hasn't been released yet (according to
>> >>> http://www.remotesensing.org/libtiff/, the latest stable release is
>> still
>> >>> 4.0.6).
>> >>>
>> >>> Anyone know what's going on? Is there a release upcoming to fix this?
>> >
>> > Yeah -- this vulnerability:
>> >
>> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-
>> 14dae9d210b8.html
>> >
>> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
>> > release from upstream yet.
>> >
>> > Given their approach to fixing the buffer overflow was to delete the
>> > offending gif2tiff application from the package, perhaps we could simply
>> > do the same until 4.0.7 comes out.
>> >
>> >       Cheers,
>> >
>> >       Matthew
>> >
>> >
>>
>> Hi Aleksandr  :)
>>
>> Also:
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
>>
>> Please add a comment to that bug to request resolution of the issue.
>>
>> Alternatively you (and anyone else) can just delete gif2tiff
>>
>> Unfortunately you are yet one more example of a user that's been left in
>> the lurch without information or recourse wondering (rightfully) how
>> they can resolve or mitigate this vulnerability. Our apologies.
>>
>>
> This one is really annoying in that it is so easily fixed. Just modify the
> port to not build or even not install gif2tiff. It's not going to be fixed
> upstream. At least the last message in the bugzilla indicates that the
> program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
> should get out front and just delete it now.
>
> A fix is trivial, but touches 20 files and, of course, the plist. Guess I
> should add it to the ticket.
>

Never mind. Mark Felder submitted it a week ago. If someone could look at
it and commit?  I'd also suggest a note to UPDATING that gif2tif is gone.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683


More information about the freebsd-questions mailing list