Bug#709146: several security issues due embedded t1lib

To: Norbert Preining <preining@logic.at>
Cc: "709146@bugs.debian.org" <709146@bugs.debian.org>
Subject: Bug#709146: several security issues due embedded t1lib
From: Ondřej Surý <ondrej@debian.org>
Date: Wed, 22 May 2013 09:03:47 +0200
Message-id: <[🔎] CALjhHG8G-dYefg3O-2HXit4Rz_osHutbeXfQ_WmSeXFNq8V-Gg@mail.gmail.com>
Reply-to: Ondřej Surý <ondrej@debian.org>, 709146@bugs.debian.org
In-reply-to: <[🔎] 20130522011730.GE31907@gamma.logic.tuwien.ac.at>
References: <[🔎] 20130521072142.3353.61038.reportbug@localhost6.localdomain6> <20130521092537.GC4885@gamma.logic.tuwien.ac.at> <CALjhHG8x55SLhiAUU-t60qnk3L8a3WhuWDFdZSUHVAf_BaR4sw@mail.gmail.com> <C02834B9-FACD-43D0-ADCF-E47ABE1E46F0@logic.at> <CALjhHG-jRcoEbtBCvccQREfpsakBT1Z7oN0aSTk-rb7LSwTt1g@mail.gmail.com> <20130521160544.GB15000@gamma.logic.tuwien.ac.at> <CALjhHG8V+7y5u+hs2Wa2ohX8JW54hXC_e=ucN9=cKebK+Bu2MA@mail.gmail.com> <[🔎] 20130522011730.GE31907@gamma.logic.tuwien.ac.at>

Hi Norbert,

On Wed, May 22, 2013 at 3:17 AM, Norbert Preining <preining@logic.at> wrote:
> On Di, 21 Mai 2013, Ondřej Surý wrote:
>> Thanks, there's also an issue of embedded freetype1 which get's
>> compiled into ttf2pk, which is the most horrible one, since freetype1
>> is unsupported for several years now.
>
> Yeah, I know. Fortunately xdvik was converted, but ttf2pk
> is still not. Any suggestion what to do?

Switch these:

configure: Assuming `--enable-ttf2pk=yes'
configure: Assuming `--enable-ttf2pk2=no'

e.g.

diff --git a/debian/rules b/debian/rules
index 389b60f..c8af93e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -76,6 +76,8 @@ override_dh_auto_configure:
        --disable-pmx                           \
        --disable-m-tx                          \
        --disable-texdoctk                      \
+       --disable-ttf2pk                        \
+       --enable-ttf2pk2                        \
        --enable-ipc

 override_dh_auto_install:
diff --git a/debian/texlive-binaries.links b/debian/texlive-binaries.links
index 945b3b8..4c6f491 100644
--- a/debian/texlive-binaries.links
+++ b/debian/texlive-binaries.links
@@ -1,2 +1,3 @@
 usr/bin/pdftex usr/bin/etex
 usr/bin/pdftex usr/bin/pdfetex
+usr/bin/ttf2pk2 usr/bin/ttf2pk

I have a meeting now, but I am doing trial build, will report after it finishes.

If this works, I suggest to run this through a security team and do a
security update of the wheezy.

O.
--
Ondřej Surý <ondrej@sury.org>

Reply to:

References:
- Bug#709146: several security issues due embedded t1lib
  - From: Ondřej Surý <ondrej@debian.org>
- Bug#709146: several security issues due embedded t1lib
  - From: Norbert Preining <preining@logic.at>

Prev by Date: [SCM] Debian packaging of texlive-bin) branch, master, updated. debian/2013.20130522.30620-1-1-g98a3a13
Next by Date: Bug#709273: texlive-binaries: pmpost produces wrong png/svg
Previous by thread: Bug#709146: several security issues due embedded t1lib
Next by thread: Bug#709146: marked as done (several security issues due embedded t1lib)
Index(es):
- Date
- Thread