Bug#709146: ttf2pk versus ttf2pk2
Hi,
I would like to point out that there has been many security issues in
freetype2 since the switch from freetype1 and nobody did a security
analysis of freetype1 for a long time, which means that some of those
CVEs in freetype2 probably also applies to freetype1.
You really should drop the freetype1 library, when you have the
release window to do so.
The security risk is there as long as ttf2pk can have arbitrary files
on the input, which seems to be the case.
The user can be tricked to download a malicious TTF file on the web
and convert it to PK file to trigger some vulnerability. Fortunatelly
the penetration of 'mindlessly download anything from the web' users
and TeX-users is probably small enough for black hats to not care.
O.
P.S.: I only used TeX to write my thesis, so I might miss something,
because my views are limited to security.
On Wed, May 22, 2013 at 9:31 AM, Norbert Preining <preining@logic.at> wrote:
> Hi Karl, hi all,
>
> since libfreetype(1) is old and unsupported and whatever, I was wondering
> why we have ttf2pk and ttf2pk2 and only use ttf2pk.
>
> Is there a reason for it, and why do we not switch to ttf2pk2
> and get rid of one more lib in libs?
>
> Of course, not for TL2013 - but I ask for Debian where Ondřej was
> so nice to point me at this option.
>
> Norbert
>
> ------------------------------------------------------------------------
> PREINING, Norbert http://www.preining.info
> JAIST, Japan TeX Live & Debian Developer
> DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
> ------------------------------------------------------------------------
--
Ondřej Surý <ondrej@sury.org>
Reply to: