Date: Wed, 29 Nov 2017 23:45:24 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 223979] graphics/OpenEXR is NOT vulnerable Message-ID: <bug-223979-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223979 Bug ID: 223979 Summary: graphics/OpenEXR is NOT vulnerable Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: mandree@FreeBSD.org Reporter: mi@ALDAN.algebra.com Flags: maintainer-feedback?(mandree@FreeBSD.org) Assignee: mandree@FreeBSD.org The port is marked "vulnerable", but the the package's upstream maintainer argues persuasively, that the vulnerabilities aren't real: https://github.com/openexr/openexr/issues/232 His argument boils down to the fact that, in order to "exploit" them, one n= eeds to write a broken program and link it with OpenEXR's libraries. One such program is exr2aces included in the sources, but _not installed by our port= _. The GitHub link has pull-requests -- some of them recent -- but the point stands, the breakage is not and the port is not vulnerable. Perhaps, we ought to remove it from vuxml.xml and undeprecate the port -- especially now that KDE-bits offer it as a new option. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223979-13>