On Fri, Aug 5, 2016 at 5:19 PM, Kevin Oberman <rkober...@gmail.com> wrote:
> On Fri, Aug 5, 2016 at 8:43 AM, Kubilay Kocak <ko...@freebsd.org> wrote: > >> On 5/08/2016 11:35 PM, Matthew Seaman wrote: >> > On 2016/08/05 13:55, alphachi wrote: >> >> Please see this link to get more information: >> >> >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 >> >> >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <alexmiros...@gmail.com>: >> >> >> >>> This is perhaps a question for the tiff devs more than anything, but I >> >>> noticed that pkg audit has been complaining about libtiff >> (graphics/tiff) >> >>> for some time now. >> >>> >> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >> >>> apparently that version hasn't been released yet (according to >> >>> http://www.remotesensing.org/libtiff/, the latest stable release is >> still >> >>> 4.0.6). >> >>> >> >>> Anyone know what's going on? Is there a release upcoming to fix this? >> > >> > Yeah -- this vulnerability: >> > >> > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd- >> 14dae9d210b8.html >> > >> > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 >> > release from upstream yet. >> > >> > Given their approach to fixing the buffer overflow was to delete the >> > offending gif2tiff application from the package, perhaps we could simply >> > do the same until 4.0.7 comes out. >> > >> > Cheers, >> > >> > Matthew >> > >> > >> >> Hi Aleksandr :) >> >> Also: >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 >> >> Please add a comment to that bug to request resolution of the issue. >> >> Alternatively you (and anyone else) can just delete gif2tiff >> >> Unfortunately you are yet one more example of a user that's been left in >> the lurch without information or recourse wondering (rightfully) how >> they can resolve or mitigate this vulnerability. Our apologies. >> >> > This one is really annoying in that it is so easily fixed. Just modify the > port to not build or even not install gif2tiff. It's not going to be fixed > upstream. At least the last message in the bugzilla indicates that the > program will simply be removed from 4.0.7 whenever it comes out. FreeBSD > should get out front and just delete it now. > > A fix is trivial, but touches 20 files and, of course, the plist. Guess I > should add it to the ticket. > Never mind. Mark Felder submitted it a week ago. If someone could look at it and commit? I'd also suggest a note to UPDATING that gif2tif is gone. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
