From owner-freebsd-ports@freebsd.org Fri Aug 5 15:44:13 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F19A1BB0674; Fri, 5 Aug 2016 15:44:13 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BD9611E57; Fri, 5 Aug 2016 15:44:13 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf0-x232.google.com with SMTP id y134so98374690pfg.0; Fri, 05 Aug 2016 08:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:reply-to:subject:references:to:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=JMkM0T7CSeiS7MTntA7sgMXzn6eQwm8r6SFbzXRt2nY=; b=ygKkxgp3XRVuThDrwMRS+T6ZDXIW+OMJvXwY9lZQuvdi0tIXTheEWw4WQ9IXLPGpU6 9JNp4Ej42Jg72LZ/biW+VrtjIACgRMLXj+ptyVZ8MamC/fjfe6UiyGnHC6ULisVEe5+T 8T1pVH5sstpGPggmWATtMgqeFvguZr2khX6KqJ8qfZ3T8uX/c9qyci4P1U8aG1pWEB2K pkgS2RXzSf9u3wYl+KYbLukSHvQFNIxXR1qbTacfr8G7i2wxEcSpcE5fXn0PM+nCE8rT rV5l0dwOQ8XTSzAP9n99thKG1mXykXgFMvUxTlIyuX2Mc1LAN8o2fgOFn/IKWOHNMB5s 6nmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:reply-to:subject:references:to:cc:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=JMkM0T7CSeiS7MTntA7sgMXzn6eQwm8r6SFbzXRt2nY=; b=F2olbR13TXTYGetopzRjJBL3TzUZ2eyeE2mI8IIBvpeOplcNE/Nv/yW2LnP5FTT7A9 lr1pQyCanD571lTBYo1hRWQ97PgfridNrgg5/mTLg6B1FbUxF5g3sM3tzpx2CTTnfj12 mIR2ieEsWs3HFhfuySRlrXq91n6di4YHJpb0ro7gNj5M9gZ0gvy7acI0AdJXuCgqDjsx cgs9K6eDYlLB5Hyc6VWgHCAkNAIKjY74XABF8f1nYTworXPxz3ekjVNTWrjra31SPeIN gkaBiLmu5VuNJ43JpuzaVJfgONeMaUob3XhLI0+UDs1mZf43xQs3LHHCst5YhnH4qG52 FQ0Q== X-Gm-Message-State: AEkoouv7Tak4MvTpDQkmvW7XoKlOurvfoByWJE+iv6Ed6DeIAbZgesR3SfAIpkeDbHaQ0w== X-Received: by 10.98.8.142 with SMTP id 14mr137882722pfi.57.1470411853189; Fri, 05 Aug 2016 08:44:13 -0700 (PDT) Received: from ?IPv6:2001:44b8:31ae:7b01:f985:3c4b:2a0c:8bea? (2001-44b8-31ae-7b01-f985-3c4b-2a0c-8bea.static.ipv6.internode.on.net. [2001:44b8:31ae:7b01:f985:3c4b:2a0c:8bea]) by smtp.gmail.com with ESMTPSA id ra13sm29077677pac.29.2016.08.05.08.44.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Aug 2016 08:44:12 -0700 (PDT) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: tiff vulnerability in ports? References: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> To: freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org, alexmiroslav@gmail.com Cc: Matthew Seaman , FreeBSD Ports Security Team From: Kubilay Kocak Message-ID: Date: Sat, 6 Aug 2016 01:43:56 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Thunderbird/50.0a2 MIME-Version: 1.0 In-Reply-To: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-AU Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 15:44:14 -0000 On 5/08/2016 11:35 PM, Matthew Seaman wrote: > On 2016/08/05 13:55, alphachi wrote: >> Please see this link to get more information: >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav : >> >>> This is perhaps a question for the tiff devs more than anything, but I >>> noticed that pkg audit has been complaining about libtiff (graphics/tiff) >>> for some time now. >>> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >>> apparently that version hasn't been released yet (according to >>> http://www.remotesensing.org/libtiff/, the latest stable release is still >>> 4.0.6). >>> >>> Anyone know what's going on? Is there a release upcoming to fix this? > > Yeah -- this vulnerability: > > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html > > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 > release from upstream yet. > > Given their approach to fixing the buffer overflow was to delete the > offending gif2tiff application from the package, perhaps we could simply > do the same until 4.0.7 comes out. > > Cheers, > > Matthew > > Hi Aleksandr :) Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 Please add a comment to that bug to request resolution of the issue. Alternatively you (and anyone else) can just delete gif2tiff Unfortunately you are yet one more example of a user that's been left in the lurch without information or recourse wondering (rightfully) how they can resolve or mitigate this vulnerability. Our apologies. Hope that helps.