Bug 216658

Summary:

security/vuxml: graphics/tiff < 4.0.7 has multiple vulnerabilities (2016Q4 or older)

Product:

Ports & Packages

Reporter:

Sevan Janiyan <venture37>

Component:

Individual Port(s)

Assignee:

Mark Felder <feld>

Status:

Closed Overcome By Events

Severity:

Affects Some People

CC:

admins, amontalban, feld, i.dani, mfechner, ml, pi, portmgr, ports-secteam, sevan

Priority:

---

Keywords:

patch-ready, security

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (ports-secteam)

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Patch for all open vulnerabilities	none

Description Sevan Janiyan 2017-01-31 03:33:41 UTC

Fixed in 4.0.7 but missing vuxml entries
CVE-2016-5652
CVE-2017-5225
CVE-2016-9297
CVE-2016-9273
CVE-2016-6223
CVE-2016-5321
CVE-2016-5319
CVE-2016-5318
CVE-2016-5317
CVE-2016-5316
CVE-2016-5323


No present fix, missing vuxml entries
CVE-2017-5563
CVE-2016-9448
CVE-2016-9453

Comment 1 Sevan Janiyan 2017-01-31 04:09:48 UTC

(In reply to Sevan Janiyan from comment #0)
A mistake, CVE-2016-9448 & CVE-2016-9453 are fixed.
For CVE-2017-5225, 4.0.7 is vulnerable but a fix has been commited upstream: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7

Comment 2 Jan Beich freebsd_committer

2017-04-21 08:06:40 UTC

ports-secteam@ prioritizes documenting *unfixed* vulnerabilities. If you need a fixed one documented as well submit a patch. Alas, CPE information is still not integrated with pkg-audit(8).

FWIW, I've marked < 4.0.8 as vulnerable in ports r438968.

Comment 3 Dani I. 2017-05-01 12:05:27 UTC

Created attachment 182215 [details]
Patch for all open vulnerabilities

This patch fixes all currently open vulnerabilities until the new version (4.0.8). According to the maintainers of libtiff, there are some weeks to go until 4.0.8 gets released, so i propose to apply the patch. Please bump the portrevision and update de vuxml-File to the correct version.

Here a short overview of the vulnerabilites, their documentation and the fix at github.

https://nvd.nist.gov/vuln/detail/CVE-2017-5225
http://bugzilla.maptools.org/show_bug.cgi?id=2656
http://bugzilla.maptools.org/show_bug.cgi?id=2657
https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7


https://nvd.nist.gov/vuln/detail/CVE-2017-7592
http://bugzilla.maptools.org/show_bug.cgi?id=2658
https://github.com/vadz/libtiff/commit/48780b4fcc42


https://nvd.nist.gov/vuln/detail/CVE-2017-7593
http://bugzilla.maptools.org/show_bug.cgi?id=2651
https://github.com/vadz/libtiff/commit/d60332057b95


https://nvd.nist.gov/vuln/detail/CVE-2017-7594
http://bugzilla.maptools.org/show_bug.cgi?id=2659
https://github.com/vadz/libtiff/commit/8283e4d1b7e5
https://github.com/vadz/libtiff/commit/2ea32f7372b6



Documentation of the following vulnerabilities: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes

https://nvd.nist.gov/vuln/detail/CVE-2017-7595
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122


https://nvd.nist.gov/vuln/detail/CVE-2017-7596
https://nvd.nist.gov/vuln/detail/CVE-2017-7597
https://nvd.nist.gov/vuln/detail/CVE-2017-7599
https://nvd.nist.gov/vuln/detail/CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490


https://nvd.nist.gov/vuln/detail/CVE-2017-7598
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8


https://nvd.nist.gov/vuln/detail/CVE-2017-7601
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490


https://nvd.nist.gov/vuln/detail/CVE-2017-7602
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4

Comment 4 Sevan Janiyan 2017-05-03 23:25:45 UTC

(In reply to Dani from comment #3)
Thank you for fishing these out, all but the follow patch apply to v4.0.7
https://nvd.nist.gov/vuln/detail/CVE-2017-7596
https://nvd.nist.gov/vuln/detail/CVE-2017-7597
https://nvd.nist.gov/vuln/detail/CVE-2017-7599
https://nvd.nist.gov/vuln/detail/CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490

2 changes in this patch to libtiff/tif_dirwrite.c do not apply.

Comment 5 Dani I. 2017-05-05 09:36:22 UTC

(In reply to Sevan Janiyan from comment #4)
Yes, because you also have to include the following commit:
https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d

There are some lines in the following patch depending on them.
If you use my patch which is attached to this PR it'll work. (I've included it)

Comment 6 Kurt Jaeger freebsd_committer

2017-05-06 12:26:45 UTC

testbuilds on 12a, 11a, 10i done.

Comment 7 Sevan Janiyan 2017-05-06 22:43:20 UTC

Some more which are missing patches & vuxml entries.

CVE-2016-10092
http://bugzilla.maptools.org/show_bug.cgi?id=2620
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a

CVE-2016-10093
http://bugzilla.maptools.org/show_bug.cgi?id=2610
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec

CVE-2016-10094
http://bugzilla.maptools.org/show_bug.cgi?id=2640
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76

CVE-2016-10268
http://bugzilla.maptools.org/show_bug.cgi?id=2598
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df

CVE-2016-10269
http://bugzilla.maptools.org/show_bug.cgi?id=2604
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86

CVE-2016-10270
http://bugzilla.maptools.org/show_bug.cgi?id=2608
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018

Comment 8 Sevan Janiyan freebsd_committer

2017-05-08 01:54:26 UTC

CVE-2016-10266
http://bugzilla.maptools.org/show_bug.cgi?id=2596
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1

CVE-2016-10267
http://bugzilla.maptools.org/show_bug.cgi?id=2611
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec

Comment 9 Andres Montalban 2017-05-22 15:42:50 UTC

Seems Tiff 4.0.8 was released yesterday:

https://github.com/vadz/libtiff/releases/tag/Release-v4-0-8