[Bug 211405] graphics/tiff: Remove gif2tiff (Reporting still vulnerable to CVE-2016-5102)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211405

            Bug ID: 211405
           Summary: graphics/tiff: Remove gif2tiff (Reporting still
                    vulnerable to CVE-2016-5102)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: needs-patch, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: portmgr at FreeBSD.org
          Reporter: koobs at FreeBSD.org
                CC: feld at FreeBSD.org, ports-secteam at FreeBSD.org
             Flags: maintainer-feedback?(portmgr at FreeBSD.org),
                    merge-quarterly?
          Assignee: portmgr at FreeBSD.org

A user reports on IRC (dastore @ freenode), requesting ETA on update to the
tiff port. User reports:

tiff-4.0.6_2 is vulnerable: CVE: CVE-2016-5102

4.0.6_2 appears to be the latest version in the tree committed by feld with
comment:

An additional CVE is not yet addressed, but upstream indicates they are
removing the gif2tiff utility as the mitigation in the upcoming 4.0.7.

Given the upstream mitigation for gif2tiff removal in 4.0.7 is known, I propose
we remove it in our port until the future release, given the outstanding
vulnerability, and no other mechanism to mitigate.

-- 
You are receiving this mail because:
You are the assignee for the bug.