From owner-freebsd-ports-bugs@freebsd.org  Wed Jul 27 11:40:00 2016
Return-Path: <owner-freebsd-ports-bugs@freebsd.org>
Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9803BA46D4
 for <freebsd-ports-bugs@mailman.ysv.freebsd.org>;
 Wed, 27 Jul 2016 11:40:00 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C00CC1538
 for <freebsd-ports-bugs@FreeBSD.org>; Wed, 27 Jul 2016 11:40:00 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u6RBe0s4001192
 for <freebsd-ports-bugs@FreeBSD.org>; Wed, 27 Jul 2016 11:40:00 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-ports-bugs@FreeBSD.org
Subject: [Bug 211405] graphics/tiff: Remove gif2tiff (Reporting still
 vulnerable to CVE-2016-5102)
Date: Wed, 27 Jul 2016 11:40:00 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: needs-patch, security
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: koobs@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: portmgr@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback? merge-quarterly?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status keywords bug_severity priority component assigned_to
 reporter cc flagtypes.name
Message-ID: <bug-211405-13@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 11:40:01 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211405

            Bug ID: 211405
           Summary: graphics/tiff: Remove gif2tiff (Reporting still
                    vulnerable to CVE-2016-5102)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: needs-patch, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: portmgr@FreeBSD.org
          Reporter: koobs@FreeBSD.org
                CC: feld@FreeBSD.org, ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(portmgr@FreeBSD.org),
                    merge-quarterly?
          Assignee: portmgr@FreeBSD.org

A user reports on IRC (dastore @ freenode), requesting ETA on update to the
tiff port. User reports:

tiff-4.0.6_2 is vulnerable: CVE: CVE-2016-5102

4.0.6_2 appears to be the latest version in the tree committed by feld with
comment:

An additional CVE is not yet addressed, but upstream indicates they are
removing the gif2tiff utility as the mitigation in the upcoming 4.0.7.

Given the upstream mitigation for gif2tiff removal in 4.0.7 is known, I pro=
pose
we remove it in our port until the future release, given the outstanding
vulnerability, and no other mechanism to mitigate.

--=20
You are receiving this mail because:
You are the assignee for the bug.=