[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#582116: texlive-bin: CVE-2010-0829 multiple array index errors

Hi Michael,

On Di, 18 Mai 2010, Michael Gilbert wrote:
> this is actually my fault.  i had recently checked the texlive-bin
> package for the existence embedded code copies, but didn't do a
> complete job to determine if those embeds were actually.  that's a lot

Well, dlocate dvipng is not that hard I would say. We are not talking
about code in a library, but a separate program.

Furthermore, please contact one of us in private before doing these
things, and it might be good to contact tlsecurity@tug.org, too.

> along with dvipng, i found the presence of source code from these other
> packages (and no dependency on the system lib). can you confirm that all
> of these are also unused?

depends --->

> libgd2

not used: --with-system-gd

> icu

is used definitely, since it is changed from upstream and the one distributed
by Debian cannot be used. Jonathan is trying to get his adjustments into
upstream already, but IBM is slow on that.

> libjpeg

not sure.

> dvipdfmx

that is now part of texlive-binaries, was taken over in texlive 2009 from
the separate package.

In the 2007 packages that is not installed (but build)

> lcdf-typetools

not build, not installed

> tex4ht

not build, not installed

> freetype
> freetype2



> silgraphite

in xetex, yes, used there

> unzip

not used: -with-system-zlib 

you forgot t1utils, dvidvi, lacheck, libpng, psutils, musixflx
in the list of duplicated source code.

But those are not build

Best wishes

Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
WATH (n.)
The rage of Roy Jenkins.
			--- Douglas Adams, The Meaning of Liff

Reply to: