[Bug 223979] graphics/OpenEXR is NOT vulnerable

Wed Nov 29 23:45:24 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223979

            Bug ID: 223979
           Summary: graphics/OpenEXR is NOT vulnerable
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: mandree at FreeBSD.org
          Reporter: mi at ALDAN.algebra.com
             Flags: maintainer-feedback?(mandree at FreeBSD.org)
          Assignee: mandree at FreeBSD.org

The port is marked "vulnerable", but the the package's upstream maintainer
argues persuasively, that the vulnerabilities aren't real:

 https://github.com/openexr/openexr/issues/232

His argument boils down to the fact that, in order to "exploit" them, one needs
to write a broken program and link it with OpenEXR's libraries. One such
program is exr2aces included in the sources, but _not installed by our port_.

The GitHub link has pull-requests -- some of them recent -- but the point
stands, the breakage is not and the port is not vulnerable.

Perhaps, we ought to remove it from vuxml.xml and undeprecate the port --
especially now that KDE-bits offer it as a new option.

-- 
You are receiving this mail because:
You are the assignee for the bug.