Bug#582116: texlive-bin: CVE-2010-0829 multiple array index errors
Hi Michael,
On Di, 18 Mai 2010, Michael Gilbert wrote:
> this is actually my fault. i had recently checked the texlive-bin
> package for the existence embedded code copies, but didn't do a
> complete job to determine if those embeds were actually. that's a lot
Well, dlocate dvipng is not that hard I would say. We are not talking
about code in a library, but a separate program.
Furthermore, please contact one of us in private before doing these
things, and it might be good to contact tlsecurity@tug.org, too.
> along with dvipng, i found the presence of source code from these other
> packages (and no dependency on the system lib). can you confirm that all
> of these are also unused?
depends --->
> libgd2
not used: --with-system-gd
> icu
is used definitely, since it is changed from upstream and the one distributed
by Debian cannot be used. Jonathan is trying to get his adjustments into
upstream already, but IBM is slow on that.
> libjpeg
not sure.
> dvipdfmx
that is now part of texlive-binaries, was taken over in texlive 2009 from
the separate package.
In the 2007 packages that is not installed (but build)
> lcdf-typetools
not build, not installed
> tex4ht
not build, not installed
> freetype
> freetype2
--with-system-freetype2
freetype(1)???
> silgraphite
in xetex, yes, used there
> unzip
not used: -with-system-zlib
you forgot t1utils, dvidvi, lacheck, libpng, psutils, musixflx
in the list of duplicated source code.
But those are not build
Best wishes
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
WATH (n.)
The rage of Roy Jenkins.
--- Douglas Adams, The Meaning of Liff
Reply to: