Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 6 Aug 2016 01:43:56 +1000
From:      Kubilay Kocak <koobs@FreeBSD.org>
To:        freebsd-questions@freebsd.org, freebsd-ports@FreeBSD.org, alexmiroslav@gmail.com
Cc:        Matthew Seaman <matthew@FreeBSD.org>, FreeBSD Ports Security Team <ports-secteam@freebsd.org>
Subject:   Re: tiff vulnerability in ports?
Message-ID:  <b05d61de-03e7-0599-17c9-0d055ac8ab61@FreeBSD.org>
In-Reply-To: <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>
References:  <CACcSE1z4m_o9z2Ttw-Sb7bNhVmnwDrVX8BQFfa2a_dBbW_hwyw@mail.gmail.com> <CAJN5%2BGtsJ=n2m8Xz5eZj92yo5vFZST0dO1ZnLCpmf4x0H95w-Q@mail.gmail.com> <33ac70de-78b6-dc54-e81f-3153d0d721e4@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 5/08/2016 11:35 PM, Matthew Seaman wrote:
> On 2016/08/05 13:55, alphachi wrote:
>> Please see this link to get more information:
>>
>> https://svnweb.freebsd.org/ports?view=revision&revision=418585
>>
>> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiroslav@gmail.com>:
>>
>>> This is perhaps a question for the tiff devs more than anything, but I
>>> noticed that pkg audit has been complaining about libtiff (graphics/tiff)
>>> for some time now.
>>>
>>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but
>>> apparently that version hasn't been released yet (according to
>>> http://www.remotesensing.org/libtiff/, the latest stable release is still
>>> 4.0.6).
>>>
>>> Anyone know what's going on? Is there a release upcoming to fix this?
> 
> Yeah -- this vulnerability:
> 
> https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html
> 
> has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
> release from upstream yet.
> 
> Given their approach to fixing the buffer overflow was to delete the
> offending gif2tiff application from the package, perhaps we could simply
> do the same until 4.0.7 comes out.
> 
> 	Cheers,
> 
> 	Matthew
> 
> 

Hi Aleksandr  :)

Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405

Please add a comment to that bug to request resolution of the issue.

Alternatively you (and anyone else) can just delete gif2tiff

Unfortunately you are yet one more example of a user that's been left in
the lurch without information or recourse wondering (rightfully) how
they can resolve or mitigate this vulnerability. Our apologies.

Hope that helps.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b05d61de-03e7-0599-17c9-0d055ac8ab61>