tiff vulnerability in ports?

Matthew Seaman matthew at FreeBSD.org
Sat Aug 6 12:24:00 UTC 2016


On 06/08/2016 04:39, alphachi wrote:
> Any update doesn't still land on ports tree, but now "pkg audit -F" won't
> report graphics/tiff is vulnerable.

There has been a revised judgement about the gif2tiff program, in that
while it can be made to crash by a specially crafted gif file, that does
not in itself constitute a security problem.  This is not just the
opinion of ports secteam, but concurs with, for example, the Debian
security team.

I don't know what the current thinking is about removing gif2tiff from
the libtiff package, but libtiff is one of those packages which very
many other packages depend upon, and portmgr consequently requires
experimental package build runs and in general much more stringent
levels of testing before allowing any such change.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160806/edaa7ce9/attachment.sig>


More information about the freebsd-questions mailing list