From owner-freebsd-questions@freebsd.org Sat Aug 6 12:24:00 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A008BAEE44; Sat, 6 Aug 2016 12:24:00 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1530C1F90; Sat, 6 Aug 2016 12:23:59 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 58E418E90; Sat, 6 Aug 2016 12:23:49 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/58E418E90; dkim=none; dkim-atps=neutral Subject: Re: tiff vulnerability in ports? To: alphachi , Kevin Oberman References: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> Cc: koobs@freebsd.org, Aleksandr Miroslav , FreeBSD Ports Security Team , Mailinglists FreeBSD , FreeBSD Ports ML From: Matthew Seaman Message-ID: Date: Sat, 6 Aug 2016 13:23:29 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-Mailman-Approved-At: Sat, 06 Aug 2016 12:34:09 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 12:24:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi Content-Type: multipart/mixed; boundary="L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU" From: Matthew Seaman To: alphachi , Kevin Oberman Cc: koobs@freebsd.org, Aleksandr Miroslav , FreeBSD Ports Security Team , Mailinglists FreeBSD , FreeBSD Ports ML Message-ID: Subject: Re: tiff vulnerability in ports? References: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org> In-Reply-To: --L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 06/08/2016 04:39, alphachi wrote: > Any update doesn't still land on ports tree, but now "pkg audit -F" won= 't > report graphics/tiff is vulnerable. There has been a revised judgement about the gif2tiff program, in that while it can be made to crash by a specially crafted gif file, that does not in itself constitute a security problem. This is not just the opinion of ports secteam, but concurs with, for example, the Debian security team. I don't know what the current thinking is about removing gif2tiff from the libtiff package, but libtiff is one of those packages which very many other packages depend upon, and portmgr consequently requires experimental package build runs and in general much more stringent levels of testing before allowing any such change. Cheers, Matthew --L1WmsSUp9OGXBW6JE7vSTvqPGapfRMatU-- --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXpdbIXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATfBgP/3soMUBXRFcEdBBLg76iBXwk HL5ROk4uy/Y7F501T5LEMQRtU47IW3PuWnVlHFl/ve6OVLi8KyCGZY5L2bNnV929 oImn8ck2chdhEu9guY2sWYDSk5B7ohFEHLzQLFTXwPwm1t3t7XQqCmg7lxSZgoDP xudzaFExONae93ivCGwZqSx7z7b4EvQetGy4KPkJPRpw0ovfVnX63oElzve5X3d5 sk2Ml04JFnk95wJHEByr9XMFTlW9Ok2NmywxicuesqfrF5Ug09c2rGBpo3sqRuN2 nJAqvSr1v0XhzP8PU5B9GLu54R8xqteXSo0Kif3mTG/N4mlriDL+4n76e9QpQB4B qidRyWptYe9GqCtg5K6gCtfbtuK8Hn0WHHr8M4BJxmjW2mvuyrcMKS4SvSIyib6p v7yqE9mULnS/kS1VDNyTS1yf2kFa4Kzn3A+wM38HO7iV7YBMVCdmUuqLkob9ZvJH 2obExoa3K1XpTBtbVHSzPy4btTHPSzpae8swb8cak5hxTnVSqTQ9cNSktrD+BuLo iAObiicy1oATBAObiQOCmWdQfWz3Gp1PnhXuE4Hq9OPMlaZ1yyNpnlFdlTBrzu8t yYLxBhAmUsTa55XNxVw4jiYNADOWcEf3bLtrYahiUwFVFPpkzLDNfUG/igVE3WGL erXw57akJMfw87Ii48uR =lQN+ -----END PGP SIGNATURE----- --B6kfjgI0Gh3AiIsnbsuB3ExNwKnv5AOVi--