[tex-live] Some minor patches against Build/source and perhaps something more important about ICU

Alexis Ballier aballier at gentoo.org
Mon Mar 3 10:07:04 CET 2008


Hello Jonathan,

> > Now something that is probably more important: ICU has had a
> > security issue recently discovered (refs [3,4,5,6]). I've never
> > been able to make xetex build against system icu (either it uses
> > internal headers or
> > icu does not install correctly all its headers; due to some things  
> > I've
> > seen in their headers I tend to think its the latter but I never  
> > really
> > jumped into that one);
> 
> No, xetex cannot build against the system ICU because it uses some  
> extensions to support OpenType functionality that is not (yet)  
> available in the standard library. (Naturally, I hope that in due  
> course the necessary features will be added in ICU, at which point  
> we'll be able to use the system lib, but we're not there yet.)

Ha! Thanks for the explanation, that'll explain why I always failed. I
had always stopped to the point where I needed non installed headers
from icu and/or inconsistency in their installed headers (like they
tried to include some non installed headers...).


> > anyway, the fact is that it uses its own icu
> > copy that is vulnerable. I've patched this locally (better safe than
> > sorry) but I'm not sure if this vulnerability can affect xetex or
> > not.
> 
> I don't believe so. The issues described in these reports relate to  
> regular expression processing, but xetex does not make any use of
> the ICU regex functions.
> 
> I'll be updating the ICU code to release 3.8.1 shortly (it's in
> place in the xetex repository, but the new version is not yet merged
> to texlive). I'd be happy to apply a patch for this issue, too,
> although as xetex does not use that part of ICU, it's not an urgent
> problem.


Perfect, thanks for the explanation.
For the patch against ICU, one can be found at [1], there are probably
other places to find it but this one should apply against 3.8.1.
As you said it's a non issue, perhaps you would like to not apply it
because it would give you some extra work for future icu merges in
xetex; I don't know how you are working there.

Regards,

Alexis.



[1]
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770%2B4771.diff?rev=1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tug.org/pipermail/tex-live/attachments/20080303/faa2ca7f/attachment.bin 


More information about the tex-live mailing list