Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)

To: debian-security@lists.debian.org
Cc: Debian TeX maintainers <debian-tex-maint@lists.debian.org>, secure-testing-team@lists.alioth.debian.org
Subject: Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
From: Frank Küster <frank@kuesterei.ch>
Date: Thu, 17 Sep 2009 14:11:16 +0200
Message-id: <[🔎] 87bpl9ixej.fsf@riesling.zuerich.kuesterei.ch>
In-reply-to: <20090916191017.GA18081@galadriel.inutil.org> (Moritz Muehlenhoff's message of "Wed\, 16 Sep 2009 21\:10\:17 +0200")
References: <20090916191017.GA18081@galadriel.inutil.org>

Hi,

This DSA made me aware that there might be a problem in texlive. It
contains a changed copy of libicu; the changes are needed by xetex, and
xetex upstream intends to have them merged. But for the time being, the
code copy is there.

I fear I won't have time to work on a security update of texlive right
now, and Norbert is busy as well. 

I have added the information to embedded-code-copies, a diff (which also
includes some more TeXLive-related corrections) is attached.

Regards, Frank


-- 
Dr. Frank Küster
Debian Developer (TeXLive)
VCD Aschaffenburg-Miltenberg, ADFC Miltenberg
B90/Grüne KV Miltenberg

--- embedded-code-copies.orig	2009-09-17 11:26:34.000000000 +0200
+++ embedded-code-copies	2009-09-17 11:32:57.000000000 +0200
@@ -98,9 +98,8 @@
 </code><code>        [etch] - pdftohtml &lt;unfixed&gt;
 </code><code>        NOTE: has been replaced by poppler-utils
 </code><code>        - kdegraphics 4:4.2.2-1 (embed; bug #436164)
-</code><code>        - texlive-base 3.0-12 (embed)
 </code><code>        - texlive-bin 2007-1 (embed)
-</code><code>        NOTE: links to poppler
+</code><code>        NOTE: unused code, links to poppler instead
 </code><code>        - koffice &lt;unfixed&gt; (embed; bug #436163)
 </code><code>        - libextractor 0.5.12-1 (embed)
 </code><code>        NOTE: libextractor is using its own pdf decoder now
@@ -577,7 +576,9 @@
 </code><code>
 </code><code>t1lib
 </code><code>        - tetex-bin 2.0.2-1 (embed)
-</code><code>        - texlive-bin &lt;unknown&gt; (embed)
+</code><code>        - texlive-bin &lt;not-affected&gt; (embed)
+</code><code>        NOTE: completely unused code (configured with
+</code><code>        --with-system-t1lib, but no Build-dep on t1)
 </code><code>
 </code><code>guichan
 </code><code>        - boswars &lt;unfixed&gt; (embed)
@@ -996,6 +997,11 @@
 </code><code>
 </code><code>pidgin
 </code><code>        - gaim &lt;old-version&gt;
+</code><code>icu
+</code><code>        - texlive-bin &lt;unfixed&gt; (embed)
+</code><code>        NOTE: The embedded copy is kind-of-a-fork, 
+</code><code>        upstream is working with icu to get changes
+</code><code>        merged back.
 </code><code></PRE>
 </code><code></code>    </div>

 <p>

Reply to:

Follow-Ups:
- Re: [Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: [Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#531569: We are currently upgrading our data base
Next by Date: [TL 2009] texlive-base: Warning upon removal
Previous by thread: Bug#531569: We are currently upgrading our data base
Next by thread: Re: [Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)
Index(es):
- Date
- Thread