Bug 211113

Summary:

graphics/tiff: Backport fixes for CVE-2016-5875, CVE-2016-3186

Product:

Ports & Packages

Reporter:

Piotr Kubaj <pkubaj>

Component:

Individual Port(s)

Assignee:

Port Management Team <portmgr>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

feld, portmgr, ports-secteam

Priority:

Normal

Keywords:

patch, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (portmgr)
feld: merge-quarterly+

Hardware:

Any

OS:

Any

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405

Attachments:

Description	Flags
Poudriere log	none
CVE patch	pkubaj: maintainer-approval? (portmgr)

Description Piotr Kubaj freebsd_committer

2016-07-14 14:25:44 UTC

Created attachment 172514 [details]
Poudriere log

The patches itself are taken from OpenBSD. Poudriere log is also attached.

Comment 1 Piotr Kubaj freebsd_committer

2016-07-14 14:27:49 UTC

Created attachment 172515 [details]
CVE patch

Comment 2 Mark Felder freebsd_committer

2016-07-15 16:04:39 UTC

Also this CVE needs to be added to vuxml, but isn't fixed until 4.0.7 release of tiff in which they just remove the gif2tiff utility to resolve it.

http://bugzilla.maptools.org/show_bug.cgi?id=2552

Comment 3 commit-hook freebsd_committer

2016-07-15 16:20:03 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:19:22 UTC 2016
New revision: 418584
URL: https://svnweb.freebsd.org/changeset/ports/418584

Log:
  Document tiff vulnerabilities

  Security:	CVE-2016-5102
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  PR:		211113

Changes:
  head/security/vuxml/vuln.xml

Comment 4 commit-hook freebsd_committer

2016-07-15 16:23:05 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:22:54 UTC 2016
New revision: 418585
URL: https://svnweb.freebsd.org/changeset/ports/418585

Log:
  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  MFH:		2016Q3
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

Changes:
  head/graphics/tiff/Makefile
  head/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  head/graphics/tiff/files/patch-tools_gif2tiff.c

Comment 5 commit-hook freebsd_committer

2016-07-15 16:25:07 UTC

A commit references this bug:

Author: feld
Date: Fri Jul 15 16:24:48 UTC 2016
New revision: 418586
URL: https://svnweb.freebsd.org/changeset/ports/418586

Log:
  MFH: r418585

  graphics/tiff: Patch vulnerabilities

  These two patches were obtained from OpenBSD. An additional CVE is not
  yet addressed, but upstream indicates they are removing the gif2tiff
  utility as the mitigation in the upcoming 4.0.7.

  PR:		211113
  Security:	CVE-2016-5875
  Security:	CVE-2016-3186

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/graphics/tiff/Makefile
  branches/2016Q3/graphics/tiff/files/patch-libtiff_tif__pixarlog.c
  branches/2016Q3/graphics/tiff/files/patch-tools_gif2tiff.c

Comment 6 Mark Felder freebsd_committer

2016-07-15 16:28:19 UTC

The remaining documented CVE will be addressed when 4.0.7 is released and portmgr has signed off on it, as new releases of graphics/tiff have to pass an exp-run before they are committed into ports.

Comment 7 Mathieu Arnold freebsd_committer

2016-07-19 11:55:20 UTC

(In reply to Piotr Kubaj from comment #0)
> Created attachment 172514 [details]
> Poudriere log
> 
> The patches itself are taken from OpenBSD. Poudriere log is also attached.

As a side note for the reporter, never attach successful poudriere logs, if it builds, the logs won't add anything, just say"builds fine on VERSION-ARCH in poudriere"