Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Aug 2016 14:35:44 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org
Subject:   Re: tiff vulnerability in ports?
Message-ID:  <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
In-Reply-To: <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
References:  <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--F20QPLI27F5h47vCto5gbfMpNfcjS3xJx
Content-Type: multipart/mixed; boundary="Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org
Message-ID: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
Subject: Re: tiff vulnerability in ports?
References: <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com>
 <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>
In-Reply-To: <CAJN5+GtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com>

--Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2016/08/05 13:55, alphachi wrote:
> Please see this link to get more information:
>=20
> https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D418585
>=20
> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav@gmail.com>:
>=20
>> This is perhaps a question for the tiff devs more than anything, but I=

>> noticed that pkg audit has been complaining about libtiff (graphics/ti=
ff)
>> for some time now.
>>
>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>> apparently that version hasn't been released yet (according to
>> http://www.remotesensing.org/libtiff/, the latest stable release is st=
ill
>> 4.0.6).
>>
>> Anyone know what's going on? Is there a release upcoming to fix this?

Yeah -- this vulnerability:

https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.ht=
ml

has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.

Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.

	Cheers,

	Matthew



--Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6--

--F20QPLI27F5h47vCto5gbfMpNfcjS3xJx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJXpJY4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnaAEP/0BtN8C1ID3W6N2N96P8K/ej
DukFQaz/xvrGq/fRDPUigh/MTGJDntGKLnfcA6DyO52puNCZXxilqS5J7xxA3FaX
2W5rd4LdsiV0B1jAKkoNEp0YyzNcDbWSqVy8OKquFo5qjnx2VdA5GcCVdhkbswhF
voXuHEMV3OqgLuS/Mkn7ZpczYrUl+aPaLIrO1eYsT4LZYUg/Mfe5/KNoqBX/3mPG
CgFhIANB5FZtl3ep81+faTLRF1F5vMtmxmp3AO1wG/XvDuhGhgGV8LLZvk7rL3wd
rW0PE38kYvW8GfXDBFwBxf3PNxdA0uIhuBJdEtt+tuQwOdA7/ssLwGnJ5VbCGlWq
L4+ltzE+XL0/LWwwDu0QiS0y0xO4Cc4pLZwbOjAsGMi3ICLFoNHQPkIatEWpdALY
FO+D6E6V5EB8PM+WgRJP04TWnIKl+WPVTFWm1B5eAnUDNFcaw7xBThLwzZcTk069
LEhjcCjriu1XBv7UhcqGtPZGMdqlhNftvktndJC7gAXk9zld0spHqhfjeIwIDY9A
hj3AE8wC+8cTUcxFL19xlLDUfbGh7N8G6zdDmbGosmz4VuFF7tjUIEeLBkgni/N0
Hdu/XgX2RfI7c1Dp2ZxvjFp/v8ROI41QjJAEGZHEj/7X2QcdvBSmNNxyZ/xvnP/1
NiaOES/i40fDGYhgMLqL
=2z+v
-----END PGP SIGNATURE-----

--F20QPLI27F5h47vCto5gbfMpNfcjS3xJx--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33ac70de-78b6-dc54-e81f-3153d0d721e4>