Date: Fri, 5 Aug 2016 14:35:44 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org Subject: Re: tiff vulnerability in ports? Message-ID: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> In-Reply-To: <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx Content-Type: multipart/mixed; boundary="Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org Message-ID: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> Subject: Re: tiff vulnerability in ports? References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> In-Reply-To: <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> --Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/08/05 13:55, alphachi wrote: > Please see this link to get more information: >=20 > https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D418585 >=20 > 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav@gmail.com>: >=20 >> This is perhaps a question for the tiff devs more than anything, but I= >> noticed that pkg audit has been complaining about libtiff (graphics/ti= ff) >> for some time now. >> >> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> apparently that version hasn't been released yet (according to >> http://www.remotesensing.org/libtiff/, the latest stable release is st= ill >> 4.0.6). >> >> Anyone know what's going on? Is there a release upcoming to fix this? Yeah -- this vulnerability: https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.ht= ml has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 release from upstream yet. Given their approach to fixing the buffer overflow was to delete the offending gif2tiff application from the package, perhaps we could simply do the same until 4.0.7 comes out. Cheers, Matthew --Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6-- --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXpJY4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnaAEP/0BtN8C1ID3W6N2N96P8K/ej DukFQaz/xvrGq/fRDPUigh/MTGJDntGKLnfcA6DyO52puNCZXxilqS5J7xxA3FaX 2W5rd4LdsiV0B1jAKkoNEp0YyzNcDbWSqVy8OKquFo5qjnx2VdA5GcCVdhkbswhF voXuHEMV3OqgLuS/Mkn7ZpczYrUl+aPaLIrO1eYsT4LZYUg/Mfe5/KNoqBX/3mPG CgFhIANB5FZtl3ep81+faTLRF1F5vMtmxmp3AO1wG/XvDuhGhgGV8LLZvk7rL3wd rW0PE38kYvW8GfXDBFwBxf3PNxdA0uIhuBJdEtt+tuQwOdA7/ssLwGnJ5VbCGlWq L4+ltzE+XL0/LWwwDu0QiS0y0xO4Cc4pLZwbOjAsGMi3ICLFoNHQPkIatEWpdALY FO+D6E6V5EB8PM+WgRJP04TWnIKl+WPVTFWm1B5eAnUDNFcaw7xBThLwzZcTk069 LEhjcCjriu1XBv7UhcqGtPZGMdqlhNftvktndJC7gAXk9zld0spHqhfjeIwIDY9A hj3AE8wC+8cTUcxFL19xlLDUfbGh7N8G6zdDmbGosmz4VuFF7tjUIEeLBkgni/N0 Hdu/XgX2RfI7c1Dp2ZxvjFp/v8ROI41QjJAEGZHEj/7X2QcdvBSmNNxyZ/xvnP/1 NiaOES/i40fDGYhgMLqL =2z+v -----END PGP SIGNATURE----- --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33ac70de-78b6-dc54-e81f-3153d0d721e4>