Bug 211113 - graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186
Summary: graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Port Management Team
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-07-14 14:25 UTC by Piotr Kubaj
Modified: 2016-07-27 11:40 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (portmgr)
feld: merge-quarterly+


Attachments
Poudriere log (104.59 KB, text/x-log)
2016-07-14 14:25 UTC, Piotr Kubaj
no flags Details
CVE patch (3.26 KB, patch)
2016-07-14 14:27 UTC, Piotr Kubaj
pkubaj: maintainer-approval? (portmgr)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 14:25:44 UTC
Created attachment 172514 [details]
Poudriere log

The patches itself are taken from OpenBSD. Poudriere log is also attached.
Comment 1 Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 14:27:49 UTC
Created attachment 172515 [details]
CVE patch
Comment 2 Mark Felder freebsd_committer freebsd_triage 2016-07-15 16:04:39 UTC
Also this CVE needs to be added to vuxml, but isn't fixed until 4.0.7 release of tiff in which they just remove the gif2tiff utility to resolve it.

http://bugzilla.maptools.org/show_bug.cgi?id=2552
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-07-15 16:20:03 UTC
A commit references this bug:

Author: feld
Date: Fri Jul 15 16:19:22 UTC 2016
New revision: 418584
URL: https://svnweb.freebsd.org/changeset/ports/418584

Log:
  Document tiff vulnerabilities

  Security:	CVE-2016-5102
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  PR:		211113

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-07-15 16:23:05 UTC
A commit references this bug:

Author: feld
Date: Fri Jul 15 16:22:54 UTC 2016
New revision: 418585
URL: https://svnweb.freebsd.org/changeset/ports/418585

Log:
  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  MFH:		2016Q3
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

Changes:
  head/graphics/tiff/Makefile
  head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  head/graphics/tiff/files/patch-tools_gif2tiff.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-07-15 16:25:07 UTC
A commit references this bug:

Author: feld
Date: Fri Jul 15 16:24:48 UTC 2016
New revision: 418586
URL: https://svnweb.freebsd.org/changeset/ports/418586

Log:
  MFH: r418585

  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/graphics/tiff/Makefile
  branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c
Comment 6 Mark Felder freebsd_committer freebsd_triage 2016-07-15 16:28:19 UTC
The remaining documented CVE will be addressed when 4.0.7 is released and portmgr has signed off on it, as new releases of graphics/tiff have to pass an exp-run before they are committed into ports.
Comment 7 Mathieu Arnold freebsd_committer freebsd_triage 2016-07-19 11:55:20 UTC
(In reply to Piotr Kubaj from comment #0)
> Created attachment 172514 [details]
> Poudriere log
> 
> The patches itself are taken from OpenBSD. Poudriere log is also attached.

As a side note for the reporter, never attach successful poudriere logs, if it builds, the logs won't add anything, just say"builds fine on VERSION-ARCH in poudriere"