From owner-freebsd-questions@freebsd.org Sat Aug 6 00:51:12 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93815BB031A; Sat, 6 Aug 2016 00:51:12 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 54D5A1CC2; Sat, 6 Aug 2016 00:51:12 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-io0-x230.google.com with SMTP id m101so313978408ioi.2; Fri, 05 Aug 2016 17:51:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aXV2pIyPuZF1uuu8uGEwSR/rRtmm3V7sXveJLw8k9ZY=; b=0nLwehc49MpM990CIMXhel7rQZL0QN4eUbcJ33pPcMKND5UV9lvnS8ktRgQ7Ngabp/ pJmjH2oYAwzd2hxtrMeKyeTwdeVqxFI7dtBLvu8BnqjkHvF8MfTG4SqM2L73cn0ZDsBr pdx2KxKMwywgR9QkdO8DI/92ftsJ55izN1vgKPUrgg3cHMrtijUgyMkUFrip1xupc5Qu +ig2QiCjPE2YElCjzibyxVqZhZ5lc8OUC9LOsa1lYVKEucfF7/fXCiQ/j4y/hpLfyU+X jc1C5KCoKodtBxoQXznKAG04f1rql+x4+s7hOgFds5qveujhiv/hlsucuufbYiEKvpQN WkoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aXV2pIyPuZF1uuu8uGEwSR/rRtmm3V7sXveJLw8k9ZY=; b=KaWBkpMBNnvYiB3/48aY0kS39aczm+THWCUK+bUx9xHBjhAaDwcbg7S2crTNMcMB4i UGgATq+Y6Zz3TbTW0tTjwYGNiZEsqqLedDzecGfBDi9L+aTQOTTYRPNAIXuwgktcS8P9 7riIFKHC53DpdVDHn8G3a89sDAKsTUUHuoDjgHTzj5FBbyZi+mBz+KNDdqO9E9/VpZX2 b6kl6UrJv6lIYu+3HUJEjGZQjXsKnB12k0VyUAuoN6gWY23kI5GAZO0xv9S29sm8YvB6 UpAMleCEqrFFSzPMV88QzygKdCksqraowkkq4fUDLFxHLSMIWcP2IWYaV4WDDg2ZBL+H DFYQ== X-Gm-Message-State: AEkoousDDLFOZOSxqjAKfo40Ujj/MR35o65rhxcV0Yg1v0YbpKpqRf8YHB0m8OqTUCfva9RszwnYYmjpIwMAjw== X-Received: by 10.107.25.14 with SMTP id 14mr80486101ioz.168.1470444671554; Fri, 05 Aug 2016 17:51:11 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.119.144 with HTTP; Fri, 5 Aug 2016 17:51:11 -0700 (PDT) In-Reply-To: References: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> From: Kevin Oberman Date: Fri, 5 Aug 2016 17:51:11 -0700 X-Google-Sender-Auth: r6mOkeRWv6_etafXmnMTm8nazvI Message-ID: Subject: Re: tiff vulnerability in ports? To: koobs@freebsd.org Cc: Mailinglists FreeBSD , FreeBSD Ports ML , alexmiroslav@gmail.com, FreeBSD Ports Security Team , Matthew Seaman X-Mailman-Approved-At: Sat, 06 Aug 2016 02:29:58 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 00:51:12 -0000 On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman wrote: > On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak wrote: > >> On 5/08/2016 11:35 PM, Matthew Seaman wrote: >> > On 2016/08/05 13:55, alphachi wrote: >> >> Please see this link to get more information: >> >> >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 >> >> >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav : >> >> >> >>> This is perhaps a question for the tiff devs more than anything, but I >> >>> noticed that pkg audit has been complaining about libtiff >> (graphics/tiff) >> >>> for some time now. >> >>> >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> >>> apparently that version hasn't been released yet (according to >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is >> still >> >>> 4.0.6). >> >>> >> >>> Anyone know what's going on? Is there a release upcoming to fix this? >> > >> > Yeah -- this vulnerability: >> > >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd- >> 14dae9d210b8.html >> > >> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 >> > release from upstream yet. >> > >> > Given their approach to fixing the buffer overflow was to delete the >> > offending gif2tiff application from the package, perhaps we could simply >> > do the same until 4.0.7 comes out. >> > >> > Cheers, >> > >> > Matthew >> > >> > >> >> Hi Aleksandr :) >> >> Also: >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 >> >> Please add a comment to that bug to request resolution of the issue. >> >> Alternatively you (and anyone else) can just delete gif2tiff >> >> Unfortunately you are yet one more example of a user that's been left in >> the lurch without information or recourse wondering (rightfully) how >> they can resolve or mitigate this vulnerability. Our apologies. >> >> > This one is really annoying in that it is so easily fixed. Just modify the > port to not build or even not install gif2tiff. It's not going to be fixed > upstream. At least the last message in the bugzilla indicates that the > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD > should get out front and just delete it now. > > A fix is trivial, but touches 20 files and, of course, the plist. Guess I > should add it to the ticket. > Never mind. Mark Felder submitted it a week ago. If someone could look at it and commit? I'd also suggest a note to UPDATING that gif2tif is gone. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683