Date: Sat, 6 Aug 2016 11:39:09 +0800 From: alphachi <alphachi@mediaspirit.org> To: Kevin Oberman <rkoberman@gmail.com> Cc: koobs@freebsd.org, Aleksandr Miroslav <alexmiroslav@gmail.com>, FreeBSD Ports Security Team <ports-secteam@freebsd.org>, Matthew Seaman <matthew@freebsd.org>, Mailinglists FreeBSD <freebsd-questions@freebsd.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: tiff vulnerability in ports? Message-ID: <CAJN5%2BGthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com> In-Reply-To: <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <CAN6yY1s5SL_dZviE=hMUzT=znieHC96dHB%2BsE6pHaJoYZM2TrQ@mail.gmail.com> <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Any update doesn't still land on ports tree, but now "pkg audit -F" won't report graphics/tiff is vulnerable. 2016-08-06 8:51 GMT+08:00 Kevin Oberman <rkoberman@gmail.com>: > On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkoberman@gmail.com> wrote: > > > On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <koobs@freebsd.org> wrote: > > > >> On 5/08/2016 11:35 PM, Matthew Seaman wrote: > >> > On 2016/08/05 13:55, alphachi wrote: > >> >> Please see this link to get more information: > >> >> > >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 > >> >> > >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav@gmail.com > >: > >> >> > >> >>> This is perhaps a question for the tiff devs more than anything, > but I > >> >>> noticed that pkg audit has been complaining about libtiff > >> (graphics/tiff) > >> >>> for some time now. > >> >>> > >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but > >> >>> apparently that version hasn't been released yet (according to > >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is > >> still > >> >>> 4.0.6). > >> >>> > >> >>> Anyone know what's going on? Is there a release upcoming to fix > this? > >> > > >> > Yeah -- this vulnerability: > >> > > >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd- > >> 14dae9d210b8.html > >> > > >> > has been in VuXML since 2016-07-15 but there's no indication of a > 4.0.7 > >> > release from upstream yet. > >> > > >> > Given their approach to fixing the buffer overflow was to delete the > >> > offending gif2tiff application from the package, perhaps we could > simply > >> > do the same until 4.0.7 comes out. > >> > > >> > Cheers, > >> > > >> > Matthew > >> > > >> > > >> > >> Hi Aleksandr :) > >> > >> Also: > >> > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 > >> > >> Please add a comment to that bug to request resolution of the issue. > >> > >> Alternatively you (and anyone else) can just delete gif2tiff > >> > >> Unfortunately you are yet one more example of a user that's been left in > >> the lurch without information or recourse wondering (rightfully) how > >> they can resolve or mitigate this vulnerability. Our apologies. > >> > >> > > This one is really annoying in that it is so easily fixed. Just modify > the > > port to not build or even not install gif2tiff. It's not going to be > fixed > > upstream. At least the last message in the bugzilla indicates that the > > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD > > should get out front and just delete it now. > > > > A fix is trivial, but touches 20 files and, of course, the plist. Guess I > > should add it to the ticket. > > > > Never mind. Mark Felder submitted it a week ago. If someone could look at > it and commit? I'd also suggest a note to UPDATING that gif2tif is gone. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" > -- Paranoid in Sabbath ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJN5%2BGthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw>