211113 – graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186

Bug 211113 - graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186

Summary: graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Port Management Team

URL:
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2016-07-14 14:25 UTC by Piotr Kubaj
Modified:	2016-07-27 11:40 UTC (History)
CC List:	3 users (show)

See Also:	211405

Flags:	bugzilla: maintainer-feedback? (portmgr) feld: merge-quarterly+

Attachments
Poudriere log (104.59 KB, text/x-log) 2016-07-14 14:25 UTC, Piotr Kubaj	no flags	Details
CVE patch (3.26 KB, patch) 2016-07-14 14:27 UTC, Piotr Kubaj	pkubaj: maintainer-approval? (portmgr)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Piotr Kubaj freebsd_committer

2016-07-14 14:25:44 UTC

Created attachment 172514 [details]
Poudriere log

The patches itself are taken from OpenBSD. Poudriere log is also attached.

Comment 1 Piotr Kubaj freebsd_committer

2016-07-14 14:27:49 UTC

Created attachment 172515 [details]
CVE patch

Comment 2 Mark Felder freebsd_committer

2016-07-15 16:04:39 UTC

Also this CVE needs to be added to vuxml, but isn't fixed until 4.0.7 release of tiff in which they just remove the gif2tiff utility to resolve it.

http://bugzilla.maptools.org/show_bug.cgi?id=2552

Comment 3 commit-hook freebsd_committer

2016-07-15 16:20:03 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:19:22 UTC 2016
New revision: 418584
URL: https://svnweb.freebsd.org/changeset/ports/418584

Log:
  Document tiff vulnerabilities

  Security:	CVE-2016-5102
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  PR:		211113

Changes:
  head/security/vuxml/vuln.xml

Comment 4 commit-hook freebsd_committer

2016-07-15 16:23:05 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:22:54 UTC 2016
New revision: 418585
URL: https://svnweb.freebsd.org/changeset/ports/418585

Log:
  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  MFH:		2016Q3
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

Changes:
  head/graphics/tiff/Makefile
  head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  head/graphics/tiff/files/patch-tools_gif2tiff.c

Comment 5 commit-hook freebsd_committer

2016-07-15 16:25:07 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:24:48 UTC 2016
New revision: 418586
URL: https://svnweb.freebsd.org/changeset/ports/418586

Log:
  MFH: r418585

  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/graphics/tiff/Makefile
  branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c

Comment 6 Mark Felder freebsd_committer

2016-07-15 16:28:19 UTC

The remaining documented CVE will be addressed when 4.0.7 is released and portmgr has signed off on it, as new releases of graphics/tiff have to pass an exp-run before they are committed into ports.

Comment 7 Mathieu Arnold freebsd_committer

2016-07-19 11:55:20 UTC

(In reply to Piotr Kubaj from comment #0)
> Created attachment 172514 [details]
> Poudriere log
> 
> The patches itself are taken from OpenBSD. Poudriere log is also attached.

As a side note for the reporter, never attach successful poudriere logs, if it builds, the logs won't add anything, just say"builds fine on VERSION-ARCH in poudriere"