tiff vulnerability in ports?

alphachi alphachi at mediaspirit.org
Sat Aug 6 03:39:14 UTC 2016


Any update doesn't still land on ports tree, but now "pkg audit -F" won't
report graphics/tiff is vulnerable.

2016-08-06 8:51 GMT+08:00 Kevin Oberman <rkoberman at gmail.com>:

> On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkoberman at gmail.com> wrote:
>
> > On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <koobs at freebsd.org> wrote:
> >
> >> On 5/08/2016 11:35 PM, Matthew Seaman wrote:
> >> > On 2016/08/05 13:55, alphachi wrote:
> >> >> Please see this link to get more information:
> >> >>
> >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585
> >> >>
> >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav at gmail.com
> >:
> >> >>
> >> >>> This is perhaps a question for the tiff devs more than anything,
> but I
> >> >>> noticed that pkg audit has been complaining about libtiff
> >> (graphics/tiff)
> >> >>> for some time now.
> >> >>>
> >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
> >> >>> apparently that version hasn't been released yet (according to
> >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is
> >> still
> >> >>> 4.0.6).
> >> >>>
> >> >>> Anyone know what's going on? Is there a release upcoming to fix
> this?
> >> >
> >> > Yeah -- this vulnerability:
> >> >
> >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-
> >> 14dae9d210b8.html
> >> >
> >> > has been in VuXML since 2016-07-15 but there's no indication of a
> 4.0.7
> >> > release from upstream yet.
> >> >
> >> > Given their approach to fixing the buffer overflow was to delete the
> >> > offending gif2tiff application from the package, perhaps we could
> simply
> >> > do the same until 4.0.7 comes out.
> >> >
> >> >       Cheers,
> >> >
> >> >       Matthew
> >> >
> >> >
> >>
> >> Hi Aleksandr  :)
> >>
> >> Also:
> >>
> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
> >>
> >> Please add a comment to that bug to request resolution of the issue.
> >>
> >> Alternatively you (and anyone else) can just delete gif2tiff
> >>
> >> Unfortunately you are yet one more example of a user that's been left in
> >> the lurch without information or recourse wondering (rightfully) how
> >> they can resolve or mitigate this vulnerability. Our apologies.
> >>
> >>
> > This one is really annoying in that it is so easily fixed. Just modify
> the
> > port to not build or even not install gif2tiff. It's not going to be
> fixed
> > upstream. At least the last message in the bugzilla indicates that the
> > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
> > should get out front and just delete it now.
> >
> > A fix is trivial, but touches 20 files and, of course, the plist. Guess I
> > should add it to the ticket.
> >
>
> Never mind. Mark Felder submitted it a week ago. If someone could look at
> it and commit?  I'd also suggest a note to UPDATING that gif2tif is gone.
> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman at gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>



-- 
Paranoid in Sabbath ...


More information about the freebsd-questions mailing list