On 5/08/2016 11:35 PM, Matthew Seaman wrote: > On 2016/08/05 13:55, alphachi wrote: >> Please see this link to get more information: >> >> https://svnweb.freebsd.org/ports?view=revision&revision=418585 >> >> 2016-08-05 0:23 GMT+08:00 Aleksandr Miroslav <[email protected]>: >> >>> This is perhaps a question for the tiff devs more than anything, but I >>> noticed that pkg audit has been complaining about libtiff (graphics/tiff) >>> for some time now. >>> >>> FreeBSD's VUXML database says anything before 4.0.7 is affected, but >>> apparently that version hasn't been released yet (according to >>> http://www.remotesensing.org/libtiff/, the latest stable release is still >>> 4.0.6). >>> >>> Anyone know what's going on? Is there a release upcoming to fix this? > > Yeah -- this vulnerability: > > https://vuxml.freebsd.org/freebsd/c17fe91d-4aa6-11e6-a7bd-14dae9d210b8.html > > has been in VuXML since 2016-07-15 but there's no indication of a 4.0.7 > release from upstream yet. > > Given their approach to fixing the buffer overflow was to delete the > offending gif2tiff application from the package, perhaps we could simply > do the same until 4.0.7 comes out. > > Cheers, > > Matthew > >
Hi Aleksandr :) Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405 Please add a comment to that bug to request resolution of the issue. Alternatively you (and anyone else) can just delete gif2tiff Unfortunately you are yet one more example of a user that's been left in the lurch without information or recourse wondering (rightfully) how they can resolve or mitigate this vulnerability. Our apologies. Hope that helps. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
