From owner-freebsd-questions@freebsd.org Sat Aug 6 00:19:26 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5DC5BAE925; Sat, 6 Aug 2016 00:19:26 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6C4711B84; Sat, 6 Aug 2016 00:19:26 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-it0-x235.google.com with SMTP id x130so34640484ite.1; Fri, 05 Aug 2016 17:19:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ZuYhe+UHm3lkiQx90ASVqj/J9PAwyfRgnbfRmM5QoH4=; b=SgvUfP18Uue6GmpmhDpvlE8WE4Yf9seMa7sbbUQ0zSR/yihoXd+OFJK4b8BI0DcMxi O/eoul0R/rcIz8bvVHhI1bTvc78P1SPBPiVBQyzsML6ydHRx9Uk7Jw+MktSauaIyVy/Y +cUq6J6dOokFSZZBcGZHir0RDPno70prmsVJ7cS54cDqhi5PiB5bCPrzCAZVdA76jfwp LFyvnwT66KAIxHGV3Y7XQkLWmlITJl6YTfzBQINOgAe1gcZ/YwxrwDgoSrvSTBIwcMqg NwvB8oylFxmmmtwtCNosyjkVsUnwSzHnjPBsNyrCrpeVQumwsnyXYHTX8si10Lb64U82 7bEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ZuYhe+UHm3lkiQx90ASVqj/J9PAwyfRgnbfRmM5QoH4=; b=DNzB7KipeHseL6Q1LyZn8UjrlsbD6eolyjF9/z9Re2WuvPykixawKGNX8F8oKa8k8u KvtyJMbXVT1+/yp/5aJww0Mi1rzzRjPuX12h1xISw+7OW0R4pQPiGAb/y9nR6925OTKs sNqEXlp5r8naO2HXOwC8otMCxZD8UEnrNIzTv/802bwjY2WSpoaG25M0FQz1zYt+gAt6 Gzr50EoKE0Wssvlm/la1QRCDT2Dto6hrdKh5R4Z7Q8FZNdy7Kk9RBx/7KlpKtHXNLezs a1BsYcBoDN8oKMmh0tcB0DgU7yRu3qCcMMKCH+b2d1/kYnZt9ZotX2fsSGNRaNy9l7GG cHdA== X-Gm-Message-State: AEkoousUCnl5QImAYcLd9YTLGCSokJowe9CSoY2GPHOdFYglZU0dVEUWNcS1GaIkLvbgjOefOd8dOBZTirnYLw== X-Received: by 10.36.3.15 with SMTP id e15mr7677462ite.40.1470442765719; Fri, 05 Aug 2016 17:19:25 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.119.144 with HTTP; Fri, 5 Aug 2016 17:19:25 -0700 (PDT) In-Reply-To: References: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> From: Kevin Oberman Date: Fri, 5 Aug 2016 17:19:25 -0700 X-Google-Sender-Auth: tc50mK44397J3wUHgWLmCBT-xEU Message-ID: Subject: Re: tiff vulnerability in ports? To: koobs@freebsd.org Cc: Mailinglists FreeBSD , FreeBSD Ports ML , alexmiroslav@gmail.com, FreeBSD Ports Security Team , Matthew Seaman X-Mailman-Approved-At: Sat, 06 Aug 2016 00:35:47 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 00:19:26 -0000 On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak wrote: > On 5/08/2016 11:35 PM, Matthew Seaman wrote: > > On 2016/08/05 13:55, alphachi wrote: > >> Please see this link to get more information: > >> > >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 > >> > >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav : > >> > >>> This is perhaps a question for the tiff devs more than anything, but I > >>> noticed that pkg audit has been complaining about libtiff > (graphics/tiff) > >>> for some time now. > >>> > >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but > >>> apparently that version hasn't been released yet (according to > >>> http://www.remotesensing.org/libtiff/, the latest stable release is > still > >>> 4.0.6). > >>> > >>> Anyone know what's going on? Is there a release upcoming to fix this? > > > > Yeah -- this vulnerability: > > > > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6- > a7bd-14dae9d210b8.html > > > > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 > > release from upstream yet. > > > > Given their approach to fixing the buffer overflow was to delete the > > offending gif2tiff application from the package, perhaps we could simply > > do the same until 4.0.7 comes out. > > > > Cheers, > > > > Matthew > > > > > > Hi Aleksandr :) > > Also: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 > > Please add a comment to that bug to request resolution of the issue. > > Alternatively you (and anyone else) can just delete gif2tiff > > Unfortunately you are yet one more example of a user that's been left in > the lurch without information or recourse wondering (rightfully) how > they can resolve or mitigate this vulnerability. Our apologies. > > This one is really annoying in that it is so easily fixed. Just modify the port to not build or even not install gif2tiff. It's not going to be fixed upstream. At least the last message in the bugzilla indicates that the program will simply be removed from 4.0.7 whenever it comes out. FreeBSD should get out front and just delete it now. A fix is trivial, but touches 20 files and, of course, the plist. Guess I should add it to the ticket. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683