Date: Wed, 27 Jul 2016 11:40:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 211405] graphics/tiff: Remove gif2tiff (Reporting still vulnerable to CVE-2016-5102) Message-ID: <bug-211405-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211405 Bug ID: 211405 Summary: graphics/tiff: Remove gif2tiff (Reporting still vulnerable to CVE-2016-5102) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: needs-patch, security Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: portmgr@FreeBSD.org Reporter: koobs@FreeBSD.org CC: feld@FreeBSD.org, ports-secteam@FreeBSD.org Flags: maintainer-feedback?(portmgr@FreeBSD.org), merge-quarterly? Assignee: portmgr@FreeBSD.org A user reports on IRC (dastore @ freenode), requesting ETA on update to the tiff port. User reports: tiff-4.0.6_2 is vulnerable: CVE: CVE-2016-5102 4.0.6_2 appears to be the latest version in the tree committed by feld with comment: An additional CVE is not yet addressed, but upstream indicates they are removing the gif2tiff utility as the mitigation in the upcoming 4.0.7. Given the upstream mitigation for gif2tiff removal in 4.0.7 is known, I pro= pose we remove it in our port until the future release, given the outstanding vulnerability, and no other mechanism to mitigate. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-211405-13>