Date: Sat, 6 Aug 2016 13:23:29 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: alphachi <alphachi@mediaspirit.org>, Kevin Oberman <rkoberman@gmail.com> Cc: koobs@freebsd.org, Aleksandr Miroslav <alexmiroslav@gmail.com>, FreeBSD Ports Security Team <ports-secteam@freebsd.org>, Mailinglists FreeBSD <freebsd-questions@freebsd.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org> Subject: Re: tiff vulnerability in ports? Message-ID: <dc72cbc4-eb4d-e28a-87cc-bfdfca3a34f6@FreeBSD.org> In-Reply-To: <CAJN5%2BGthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com> References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <CAN6yY1s5SL_dZviE=hMUzT=znieHC96dHB%2BsE6pHaJoYZM2TrQ@mail.gmail.com> <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com> <CAJN5%2BGthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi Content-Type: multipart/mixed; boundary="L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU" From: Matthew Seaman <matthew@FreeBSD.org> To: alphachi <alphachi@mediaspirit.org>, Kevin Oberman <rkoberman@gmail.com> Cc: koobs@freebsd.org, Aleksandr Miroslav <alexmiroslav@gmail.com>, FreeBSD Ports Security Team <ports-secteam@freebsd.org>, Mailinglists FreeBSD <freebsd-questions@freebsd.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org> Message-ID: <dc72cbc4-eb4d-e28a-87cc-bfdfca3a34f6@FreeBSD.org> Subject: Re: tiff vulnerability in ports? References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org> <CAN6yY1s5SL_dZviE=hMUzT=znieHC96dHB+sE6pHaJoYZM2TrQ@mail.gmail.com> <CAN6yY1s19bUU=aHGH_syxf7Sw9eDWdawWbC=ddRYO-yhVSKLCQ@mail.gmail.com> <CAJN5+GthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com> In-Reply-To: <CAJN5+GthF1XspVD7AQPU5BTkVOMiiUCWRC-u2WZwZhnFY0DVRw@mail.gmail.com> --L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 06/08/2016 04:39, alphachi wrote: > Any update doesn't still land on ports tree, but now "pkg audit -F" won= 't > report graphics/tiff is vulnerable. There has been a revised judgement about the gif2tiff program, in that while it can be made to crash by a specially crafted gif file, that does not in itself constitute a security problem. This is not just the opinion of ports secteam, but concurs with, for example, the Debian security team. I don't know what the current thinking is about removing gif2tiff from the libtiff package, but libtiff is one of those packages which very many other packages depend upon, and portmgr consequently requires experimental package build runs and in general much more stringent levels of testing before allowing any such change. Cheers, Matthew --L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU-- --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXpdbIXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATfBgP/3soMUBXRFcEdBBLg76iBXwk HL5ROk4uy/Y7F501T5LEMQRtU47IW3PuWnVlHFl/ve6OVLi8KyCGZY5L2bNnV929 oImn8ck2chdhEu9guY2sWYDSk5B7ohFEHLzQLFTXwPwm1t3t7XQqCmg7lxSZgoDP xudzaFExONae93ivCGwZqSx7z7b4EvQetGy4KPkJPRpw0ovfVnX63oElzve5X3d5 sk2Ml04JFnk95wJHEByr9XMFTlW9Ok2NmywxicuesqfrF5Ug09c2rGBpo3sqRuN2 nJAqvSr1v0XhzP8PU5B9GLu54R8xqteXSo0Kif3mTG/N4mlriDL+4n76e9QpQB4B qidRyWptYe9GqCtg5K6gCtfbtuK8Hn0WHHr8M4BJxmjW2mvuyrcMKS4SvSIyib6p v7yqE9mULnS/kS1VDNyTS1yf2kFa4Kzn3A+wM38HO7iV7YBMVCdmUuqLkob9ZvJH 2obExoa3K1XpTBtbVHSzPy4btTHPSzpae8swb8cak5hxTnVSqTQ9cNSktrD+BuLo iAObiicy1oATBAObiQOCmWdQfWz3Gp1PnhXuE4Hq9OPMlaZ1yyNpnlFdlTBrzu8t yYLxBhAmUsTa55XNxVw4jiYNADOWcEf3bLtrYahiUwFVFPpkzLDNfUG/igVE3WGL erXw57akJMfw87Ii48uR =lQN+ -----END PGP SIGNATURE----- --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dc72cbc4-eb4d-e28a-87cc-bfdfca3a34f6>