From owner-freebsd-ports@freebsd.org Fri Aug 5 13:36:13 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3602BAF56F; Fri, 5 Aug 2016 13:36:13 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 42F701DDF; Fri, 5 Aug 2016 13:36:13 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id F20108930; Fri, 5 Aug 2016 13:36:06 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/F20108930; dkim=none; dkim-atps=neutral Subject: Re: tiff vulnerability in ports? To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org References: From: Matthew Seaman Message-ID: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> Date: Fri, 5 Aug 2016 14:35:44 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="F20QPLI27F5h47vCto5gbfMpNfcjS3xJx" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 13:36:13 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx Content-Type: multipart/mixed; boundary="Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6" From: Matthew Seaman To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org Message-ID: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> Subject: Re: tiff vulnerability in ports? References: In-Reply-To: --Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/08/05 13:55, alphachi wrote: > Please see this link to get more information: >=20 > https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D418585 >=20 > 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav : >=20 >> This is perhaps a question for the tiff devs more than anything, but I= >> noticed that pkg audit has been complaining about libtiff (graphics/ti= ff) >> for some time now. >> >> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> apparently that version hasn't been released yet (according to >> http://www.remotesensing.org/libtiff/, the latest stable release is st= ill >> 4.0.6). >> >> Anyone know what's going on? Is there a release upcoming to fix this? Yeah -- this vulnerability: https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.ht= ml has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 release from upstream yet. Given their approach to fixing the buffer overflow was to delete the offending gif2tiff application from the package, perhaps we could simply do the same until 4.0.7 comes out. Cheers, Matthew --Qaiu2p9l05uCLgtgkW6PTwHU6U7i214s6-- --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXpJY4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnaAEP/0BtN8C1ID3W6N2N96P8K/ej DukFQaz/xvrGq/fRDPUigh/MTGJDntGKLnfcA6DyO52puNCZXxilqS5J7xxA3FaX 2W5rd4LdsiV0B1jAKkoNEp0YyzNcDbWSqVy8OKquFo5qjnx2VdA5GcCVdhkbswhF voXuHEMV3OqgLuS/Mkn7ZpczYrUl+aPaLIrO1eYsT4LZYUg/Mfe5/KNoqBX/3mPG CgFhIANB5FZtl3ep81+faTLRF1F5vMtmxmp3AO1wG/XvDuhGhgGV8LLZvk7rL3wd rW0PE38kYvW8GfXDBFwBxf3PNxdA0uIhuBJdEtt+tuQwOdA7/ssLwGnJ5VbCGlWq L4+ltzE+XL0/LWwwDu0QiS0y0xO4Cc4pLZwbOjAsGMi3ICLFoNHQPkIatEWpdALY FO+D6E6V5EB8PM+WgRJP04TWnIKl+WPVTFWm1B5eAnUDNFcaw7xBThLwzZcTk069 LEhjcCjriu1XBv7UhcqGtPZGMdqlhNftvktndJC7gAXk9zld0spHqhfjeIwIDY9A hj3AE8wC+8cTUcxFL19xlLDUfbGh7N8G6zdDmbGosmz4VuFF7tjUIEeLBkgni/N0 Hdu/XgX2RfI7c1Dp2ZxvjFp/v8ROI41QjJAEGZHEj/7X2QcdvBSmNNxyZ/xvnP/1 NiaOES/i40fDGYhgMLqL =2z+v -----END PGP SIGNATURE----- --F20QPLI27F5h47vCto5gbfMpNfcjS3xJx--