From owner-freebsd-ports@freebsd.org  Sat Aug  6 03:39:14 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2B73BAFB72
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Sat,  6 Aug 2016 03:39:14 +0000 (UTC)
 (envelope-from alphachi@mediaspirit.org)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com
 [IPv6:2607:f8b0:400c:c05::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8B02115C8
 for <freebsd-ports@freebsd.org>; Sat,  6 Aug 2016 03:39:13 +0000 (UTC)
 (envelope-from alphachi@mediaspirit.org)
Received: by mail-vk0-x22e.google.com with SMTP id w127so205210788vkh.2
 for <freebsd-ports@freebsd.org>; Fri, 05 Aug 2016 20:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mediaspirit-org.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=HegvXbJASdU2r5Dsz1jYrrBmFyuInq6nDkhYS3QVpI0=;
 b=TWAILIRiWu61srStQwter/r6Yczw8+L33LYp936FRYkFyCYlESnCVFiWoMKRSQ8XQC
 ZcF/LFXLT0IzHYpQuCh9A9cUCWF+MAHQPpCARFhbieeYUPxtPjYZa+DmkgjaW1Eg1kdI
 2Yi0BBOyqXMBuXmtcajWyv+XF3BrBwipbvyVr4UoOZfDky3L32SwmTqnPp6MKRJcKoCX
 WSMz8eGbsK5jlRJLGM3jAyUXQlymSWI1bd41IZDJGk8TXNi08G9pRgmTs8jMDzX13ZJw
 zirsd7ZkhKKJ32VZiDyNNkp3Df8WFlJyDwj3xJoO1MgWuUvotv3+sWDv7xGvhgK3ZM+7
 iXaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=HegvXbJASdU2r5Dsz1jYrrBmFyuInq6nDkhYS3QVpI0=;
 b=SoqHqGdkG+/guK4t80JPISBny+VhTs0coVBwL1H7Co5EAM5gZmyBMOhTuSE2ZTar4s
 9HzHyGk6SJ721UPl4C9nAbq3uoqlyPU6TIDZUaQLQyLwVpNa72a4YPpuB96NdOn1odsa
 fG/LFH+Vo+PYPUo/Ce/5ukLsr8LmvKx7bsagEljs3Vihpa3BoUPoNZsSC5+RDwhyVrCB
 iAfKRqraYa4kOVUVJduvq3BZd4uyz9gTfBYvdjalczawfyYtlvevKOUGWasZ3wOpdy40
 aaufnwsvY5+E6Cebegius6l+qIGni2kmwG2U6FyHkuiV16hDPBwXDuOWSBhxXwg3v65Y
 bPeQ==
X-Gm-Message-State: AEkoouvq+q6cbGocfS6B9QuI0rbqXEGFxg/ybV9qhBUvw43dWceA6F8lZ1QpSW1s3sebSwnPsMAC31BPCF+p/Q==
X-Received: by 10.31.47.141 with SMTP id v135mr573394vkv.109.1470454749991;
 Fri, 05 Aug 2016 20:39:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.77.7 with HTTP; Fri, 5 Aug 2016 20:39:09 -0700 (PDT)
In-Reply-To: <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com>
References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com>
 <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
 <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
 <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org>
 <CAN6yY1s5SL_dZviE=hMUzT=znieHC96dHB+sE6pHaJoYZM2TrQ@mail.gmail.com>
 <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com>
From: alphachi <alphachi@mediaspirit.org>
Date: Sat, 6 Aug 2016 11:39:09 +0800
Message-ID: <CAJN5+GthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com>
Subject: Re: tiff vulnerability in ports?
To: Kevin Oberman <rkoberman@gmail.com>
Cc: koobs@freebsd.org, Aleksandr Miroslav <alexmiroslav@gmail.com>, 
 FreeBSD Ports Security Team <ports-secteam@freebsd.org>,
 Matthew Seaman <matthew@freebsd.org>, 
 Mailinglists FreeBSD <freebsd-questions@freebsd.org>, 
 FreeBSD Ports ML <freebsd-ports@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2016 03:39:14 -0000

Any update doesn't still land on ports tree, but now "pkg audit -F" won't
report graphics/tiff is vulnerable.

2016-08-06 8:51 GMT+08:00 Kevin Oberman <rkoberman@gmail.com>:

> On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkoberman@gmail.com> wrote:
>
> > On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <koobs@freebsd.org> wrote:
> >
> >> On 5/08/2016 11:35 PM, Matthew Seaman wrote:
> >> > On 2016/08/05 13:55, alphachi wrote:
> >> >> Please see this link to get more information:
> >> >>
> >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585
> >> >>
> >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav@gmail.com
> >:
> >> >>
> >> >>> This is perhaps a question for the tiff devs more than anything,
> but I
> >> >>> noticed that pkg audit has been complaining about libtiff
> >> (graphics/tiff)
> >> >>> for some time now.
> >> >>>
> >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
> >> >>> apparently that version hasn't been released yet (according to
> >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is
> >> still
> >> >>> 4.0.6).
> >> >>>
> >> >>> Anyone know what's going on? Is there a release upcoming to fix
> this?
> >> >
> >> > Yeah -- this vulnerability:
> >> >
> >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-
> >> 14dae9d210b8.html
> >> >
> >> > has been in VuXML since 2016-07-15 but there's no indication of a
> 4.0.7
> >> > release from upstream yet.
> >> >
> >> > Given their approach to fixing the buffer overflow was to delete the
> >> > offending gif2tiff application from the package, perhaps we could
> simply
> >> > do the same until 4.0.7 comes out.
> >> >
> >> >       Cheers,
> >> >
> >> >       Matthew
> >> >
> >> >
> >>
> >> Hi Aleksandr  :)
> >>
> >> Also:
> >>
> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
> >>
> >> Please add a comment to that bug to request resolution of the issue.
> >>
> >> Alternatively you (and anyone else) can just delete gif2tiff
> >>
> >> Unfortunately you are yet one more example of a user that's been left in
> >> the lurch without information or recourse wondering (rightfully) how
> >> they can resolve or mitigate this vulnerability. Our apologies.
> >>
> >>
> > This one is really annoying in that it is so easily fixed. Just modify
> the
> > port to not build or even not install gif2tiff. It's not going to be
> fixed
> > upstream. At least the last message in the bugzilla indicates that the
> > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
> > should get out front and just delete it now.
> >
> > A fix is trivial, but touches 20 files and, of course, the plist. Guess I
> > should add it to the ticket.
> >
>
> Never mind. Mark Felder submitted it a week ago. If someone could look at
> it and commit?  I'd also suggest a note to UPDATING that gif2tif is gone.
> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>



-- 
Paranoid in Sabbath ...