Bug 216658 - security/vuxml: graphics/tiff < 4.0.7 has multiple vulnerabilities (2016Q4 or older)
Summary: security/vuxml: graphics/tiff < 4.0.7 has multiple vulnerabilities (2016Q4 or...
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Felder
URL:
Keywords: patch-ready, security
Depends on:
Blocks:
 
Reported: 2017-01-31 03:33 UTC by Sevan Janiyan
Modified: 2017-06-09 16:11 UTC (History)
10 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)

Attachments
Patch for all open vulnerabilities (19.13 KB, patch)
2017-05-01 12:05 UTC, Dani I. 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2017-01-31 03:33:41 UTC 
Fixed in 4.0.7 but missing vuxml entries
CVE-2016-5652
CVE-2017-5225
CVE-2016-9297
CVE-2016-9273
CVE-2016-6223
CVE-2016-5321
CVE-2016-5319
CVE-2016-5318
CVE-2016-5317
CVE-2016-5316
CVE-2016-5323


No present fix, missing vuxml entries
CVE-2017-5563
CVE-2016-9448
CVE-2016-9453
Comment 1 Sevan Janiyan 2017-01-31 04:09:48 UTC 
(In reply to Sevan Janiyan from comment #0)
A mistake, CVE-2016-9448 & CVE-2016-9453 are fixed.
For CVE-2017-5225, 4.0.7 is vulnerable but a fix has been commited upstream: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
Comment 2 Jan Beich freebsd_committer freebsd_triage 2017-04-21 08:06:40 UTC 
ports-secteam@ prioritizes documenting *unfixed* vulnerabilities. If you need a fixed one documented as well submit a patch. Alas, CPE information is still not integrated with pkg-audit(8).

FWIW, I've marked < 4.0.8 as vulnerable in ports r438968.
Comment 3 Dani I. 2017-05-01 12:05:27 UTC 
Created attachment 182215 [details]
Patch for all open vulnerabilities

This patch fixes all currently open vulnerabilities until the new version (4.0.8). According to the maintainers of libtiff, there are some weeks to go until 4.0.8 gets released, so i propose to apply the patch. Please bump the portrevision and update de vuxml-File to the correct version.

Here a short overview of the vulnerabilites, their documentation and the fix at github.

https://nvd.nist.gov/vuln/detail/CVE-2017-5225
http://bugzilla.maptools.org/show_bug.cgi?id=2656
http://bugzilla.maptools.org/show_bug.cgi?id=2657
https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7


https://nvd.nist.gov/vuln/detail/CVE-2017-7592
http://bugzilla.maptools.org/show_bug.cgi?id=2658
https://github.com/vadz/libtiff/commit/48780b4fcc42


https://nvd.nist.gov/vuln/detail/CVE-2017-7593
http://bugzilla.maptools.org/show_bug.cgi?id=2651
https://github.com/vadz/libtiff/commit/d60332057b95


https://nvd.nist.gov/vuln/detail/CVE-2017-7594
http://bugzilla.maptools.org/show_bug.cgi?id=2659
https://github.com/vadz/libtiff/commit/8283e4d1b7e5
https://github.com/vadz/libtiff/commit/2ea32f7372b6



Documentation of the following vulnerabilities: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes

https://nvd.nist.gov/vuln/detail/CVE-2017-7595
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122


https://nvd.nist.gov/vuln/detail/CVE-2017-7596
https://nvd.nist.gov/vuln/detail/CVE-2017-7597
https://nvd.nist.gov/vuln/detail/CVE-2017-7599
https://nvd.nist.gov/vuln/detail/CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490


https://nvd.nist.gov/vuln/detail/CVE-2017-7598
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8


https://nvd.nist.gov/vuln/detail/CVE-2017-7601
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490


https://nvd.nist.gov/vuln/detail/CVE-2017-7602
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
Comment 4 Sevan Janiyan 2017-05-03 23:25:45 UTC 
(In reply to Dani from comment #3)
Thank you for fishing these out, all but the follow patch apply to v4.0.7
https://nvd.nist.gov/vuln/detail/CVE-2017-7596
https://nvd.nist.gov/vuln/detail/CVE-2017-7597
https://nvd.nist.gov/vuln/detail/CVE-2017-7599
https://nvd.nist.gov/vuln/detail/CVE-2017-7600
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490

2 changes in this patch to libtiff/tif_dirwrite.c do not apply.
Comment 5 Dani I. 2017-05-05 09:36:22 UTC 
(In reply to Sevan Janiyan from comment #4)
Yes, because you also have to include the following commit:
https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d

There are some lines in the following patch depending on them.
If you use my patch which is attached to this PR it'll work. (I've included it)
Comment 6 Kurt Jaeger freebsd_committer freebsd_triage 2017-05-06 12:26:45 UTC 
testbuilds on 12a, 11a, 10i done.
Comment 9 Andres Montalban 2017-05-22 15:42:50 UTC 
Seems Tiff 4.0.8 was released yesterday:

https://github.com/vadz/libtiff/releases/tag/Release-v4-0-8