Discussion:
tiff vulnerability in ports?
(too old to reply)
Aleksandr Miroslav
2016-08-04 16:23:31 UTC
Permalink
This is perhaps a question for the tiff devs more than anything, but I
noticed that pkg audit has been complaining about libtiff (graphics/tiff)
for some time now.

FreeBSD's VUXML database says anything before 4.0.7 is affected, but
apparently that version hasn't been released yet (according to
http://www.remotesensing.org/libtiff/, the latest stable release is still
4.0.6).

Anyone know what's going on? Is there a release upcoming to fix this?

Thanks,
Alex
alphachi
2016-08-05 12:55:07 UTC
Permalink
Please see this link to get more information:

https://svnweb.freebsd.org/ports?view=revision&revision=418585
Post by Aleksandr Miroslav
This is perhaps a question for the tiff devs more than anything, but I
noticed that pkg audit has been complaining about libtiff (graphics/tiff)
for some time now.
FreeBSD's VUXML database says anything before 4.0.7 is affected, but
apparently that version hasn't been released yet (according to
http://www.remotesensing.org/libtiff/, the latest stable release is still
4.0.6).
Anyone know what's going on? Is there a release upcoming to fix this?
Thanks,
Alex
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-
--
Paranoid in Sabbath ...
Matthew Seaman
2016-08-05 13:35:44 UTC
Permalink
Post by alphachi
https://svnweb.freebsd.org/ports?view=revision&revision=418585
Post by Aleksandr Miroslav
This is perhaps a question for the tiff devs more than anything, but I
noticed that pkg audit has been complaining about libtiff (graphics/tiff)
for some time now.
FreeBSD's VUXML database says anything before 4.0.7 is affected, but
apparently that version hasn't been released yet (according to
http://www.remotesensing.org/libtiff/, the latest stable release is still
4.0.6).
Anyone know what's going on? Is there a release upcoming to fix this?
Yeah -- this vulnerability:

https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html

has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.

Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.

Cheers,

Matthew
Kubilay Kocak
2016-08-05 15:43:56 UTC
Permalink
Post by Matthew Seaman
Post by alphachi
https://svnweb.freebsd.org/ports?view=revision&revision=418585
Post by Aleksandr Miroslav
This is perhaps a question for the tiff devs more than anything, but I
noticed that pkg audit has been complaining about libtiff (graphics/tiff)
for some time now.
FreeBSD's VUXML database says anything before 4.0.7 is affected, but
apparently that version hasn't been released yet (according to
http://www.remotesensing.org/libtiff/, the latest stable release is still
4.0.6).
Anyone know what's going on? Is there a release upcoming to fix this?
https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html
has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.
Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.
Cheers,
Matthew
Hi Aleksandr :)

Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405

Please add a comment to that bug to request resolution of the issue.

Alternatively you (and anyone else) can just delete gif2tiff

Unfortunately you are yet one more example of a user that's been left in
the lurch without information or recourse wondering (rightfully) how
they can resolve or mitigate this vulnerability. Our apologies.

Hope that helps.
Kevin Oberman
2016-08-06 00:19:25 UTC
Permalink
Post by Aleksandr Miroslav
Post by Matthew Seaman
Post by alphachi
https://svnweb.freebsd.org/ports?view=revision&revision=418585
Post by Aleksandr Miroslav
This is perhaps a question for the tiff devs more than anything, but I
noticed that pkg audit has been complaining about libtiff
(graphics/tiff)
Post by Matthew Seaman
Post by alphachi
Post by Aleksandr Miroslav
for some time now.
FreeBSD's VUXML database says anything before 4.0.7 is affected, but
apparently that version hasn't been released yet (according to
http://www.remotesensing.org/libtiff/, the latest stable release is
still
Post by Matthew Seaman
Post by alphachi
Post by Aleksandr Miroslav
4.0.6).
Anyone know what's going on? Is there a release upcoming to fix this?
https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-
a7bd-14dae9d210b8.html
Post by Matthew Seaman
has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7
release from upstream yet.
Given their approach to fixing the buffer overflow was to delete the
offending gif2tiff application from the package, perhaps we could simply
do the same until 4.0.7 comes out.
Cheers,
Matthew
Hi Aleksandr :)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405
Please add a comment to that bug to request resolution of the issue.
Alternatively you (and anyone else) can just delete gif2tiff
Unfortunately you are yet one more example of a user that's been left in
the lurch without information or recourse wondering (rightfully) how
they can resolve or mitigate this vulnerability. Our apologies.
This one is really annoying in that it is so easily fixed. Just modify the
port to not build or even not install gif2tiff. It's not going to be fixed
upstream. At least the last message in the bugzilla indicates that the
program will simply be removed from 4.0.7 whenever it comes out. FreeBSD
should get out front and just delete it now.

A fix is trivial, but touches 20 files and, of course, the plist. Guess I
should add it to the ticket.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: ***@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

Loading...