Bug 205923

Summary: graphics/tiff: Add patches for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities
Product: Ports & Packages Reporter: Raphael Kubo da Costa <rakuco>
Component: Individual Port(s)Assignee: Raphael Kubo da Costa <rakuco>
Status: Closed FIXED    
Severity: Affects Only Me CC: ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: antoine: maintainer-feedback+
rakuco: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Proposed patch none

Description Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-01-05 14:34:53 UTC 
Created attachment 165108 [details]
Proposed patch

The attached patch contains fixes (obtained from libtiff's CVS repository) fixing CVE-2015-8665, CVE-2015-8683 and some out-of-bounds vulnerabilities with no corresponding CVEs. Debian is also shipping these changes.
Comment 1 Antoine Brodin freebsd_committer freebsd_triage 2016-01-05 14:52:27 UTC 
looks good
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-01-05 15:05:35 UTC 
A commit references this bug:

Author: rakuco
Date: Tue Jan  5 15:04:58 UTC 2016
New revision: 405294
URL: https://svnweb.freebsd.org/changeset/ports/405294

Log:
  Add fixes for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities.

  Besides fixing the two CVEs mentioned above, this change also pulls two
  other commits from libtiff upstream fixing other out-of-bounds reads that do
  not have corresponding CVEs and were reported directly in libtiff's bug
  tracker.

  PR:		205923
  Approved by:	portmgr (antoine)
  Obtained from:	libtiff CVS repository
  Security:	b65e4914-b3bc-11e5-8255-5453ed2e2b49
  Security:	bd349f7a-b3b9-11e5-8255-5453ed2e2b49

Changes:
  head/graphics/tiff/Makefile
  head/graphics/tiff/files/patch-CVE-2015-8665_8683
  head/graphics/tiff/files/patch-libtiff_tif__luv.c
  head/graphics/tiff/files/patch-libtiff_tif__next.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-01-05 15:06:37 UTC 
A commit references this bug:

Author: rakuco
Date: Tue Jan  5 15:06:08 UTC 2016
New revision: 405295
URL: https://svnweb.freebsd.org/changeset/ports/405295

Log:
  MFH: r405294

  Add fixes for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities.

  Besides fixing the two CVEs mentioned above, this change also pulls two
  other commits from libtiff upstream fixing other out-of-bounds reads that do
  not have corresponding CVEs and were reported directly in libtiff's bug
  tracker.

  PR:		205923
  Approved by:	portmgr (antoine)
  Obtained from:	libtiff CVS repository
  Security:	b65e4914-b3bc-11e5-8255-5453ed2e2b49
  Security:	bd349f7a-b3b9-11e5-8255-5453ed2e2b49

  Approved by:	portmgr blanket

Changes:
_U  branches/2016Q1/
  branches/2016Q1/graphics/tiff/Makefile
  branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c