Bug 205923 - graphics/tiff: Add patches for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities
Summary: graphics/tiff: Add patches for CVE-2015-8665, CVE-2015-8683 and other vulnera...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Raphael Kubo da Costa
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-01-05 14:34 UTC by Raphael Kubo da Costa
Modified: 2016-01-05 15:07 UTC (History)
1 user (show)

See Also:
antoine: maintainer-feedback+
rakuco: merge-quarterly+


Attachments
Proposed patch (13.52 KB, patch)
2016-01-05 14:34 UTC, Raphael Kubo da Costa
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Kubo da Costa freebsd_committer 2016-01-05 14:34:53 UTC
Created attachment 165108 [details]
Proposed patch

The attached patch contains fixes (obtained from libtiff's CVS repository) fixing CVE-2015-8665, CVE-2015-8683 and some out-of-bounds vulnerabilities with no corresponding CVEs. Debian is also shipping these changes.
Comment 1 Antoine Brodin freebsd_committer 2016-01-05 14:52:27 UTC
looks good
Comment 2 commit-hook freebsd_committer 2016-01-05 15:05:35 UTC
A commit references this bug:

Author: rakuco
Date: Tue Jan  5 15:04:58 UTC 2016
New revision: 405294
URL: https://svnweb.freebsd.org/changeset/ports/405294

Log:
  Add fixes for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities.

  Besides fixing the two CVEs mentioned above, this change also pulls two
  other commits from libtiff upstream fixing other out-of-bounds reads that do
  not have corresponding CVEs and were reported directly in libtiff's bug
  tracker.

  PR:		205923
  Approved by:	portmgr (antoine)
  Obtained from:	libtiff CVS repository
  Security:	b65e4914-b3bc-11e5-8255-5453ed2e2b49
  Security:	bd349f7a-b3b9-11e5-8255-5453ed2e2b49

Changes:
  head/graphics/tiff/Makefile
  head/graphics/tiff/files/patch-CVE-2015-8665_8683
  head/graphics/tiff/files/patch-libtiff_tif__luv.c
  head/graphics/tiff/files/patch-libtiff_tif__next.c
Comment 3 commit-hook freebsd_committer 2016-01-05 15:06:37 UTC
A commit references this bug:

Author: rakuco
Date: Tue Jan  5 15:06:08 UTC 2016
New revision: 405295
URL: https://svnweb.freebsd.org/changeset/ports/405295

Log:
  MFH: r405294

  Add fixes for CVE-2015-8665, CVE-2015-8683 and other vulnerabilities.

  Besides fixing the two CVEs mentioned above, this change also pulls two
  other commits from libtiff upstream fixing other out-of-bounds reads that do
  not have corresponding CVEs and were reported directly in libtiff's bug
  tracker.

  PR:		205923
  Approved by:	portmgr (antoine)
  Obtained from:	libtiff CVS repository
  Security:	b65e4914-b3bc-11e5-8255-5453ed2e2b49
  Security:	bd349f7a-b3b9-11e5-8255-5453ed2e2b49

  Approved by:	portmgr blanket

Changes:
_U  branches/2016Q1/
  branches/2016Q1/graphics/tiff/Makefile
  branches/2016Q1/graphics/tiff/files/patch-CVE-2015-8665_8683
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__luv.c
  branches/2016Q1/graphics/tiff/files/patch-libtiff_tif__next.c