[tex-live] TeXLive2007: Bug in (Xe)TeX for 64bit and big endianess

Thanh Han The hanthethanh at gmail.com
Wed May 9 13:34:00 CEST 2007

On Wed, May 09, 2007 at 10:17:45AM +0200, Frank K�ster wrote:
> "Thanh Han The" <hanthethanh at gmail.com> wrote:
> > I also never wanted poppler instead of xpdf and never voted
> > for it. I doubt very much it would bring any advantage at
> > all, while the problems it caused are quite obvious.
> Sorry, but it's not your choice.  Ubuntu started using it, our security
> team urged us to do the same, Suse does it, and I am not the one to
> decide, really.
> Although I must say I wholeheartedly agree with it.  The impact of
> security bugs in xpdf code may be small, but it's a general policy of
> Linux distributors to either fix security issues once they are known, or
> to show that they do not apply or are not exploitable in a given
> incarnation of the code.
> As long as pdftex ships a complete copy of xpdf code, I wouldn't dare to
> judge "doesn't apply" without at least an intermediate level of
> understanding of xpdf and how pdftex uses it.  I don't have that
> understanding and cannot afford the time to learn it, and I fear that's
> true for most people responsible for those packages in Linux distros,
> even those who get paid for their distribution work.
> So we're left with fixing the bugs, but that is, unfortunately, *not*
> just a question of taking the xpdf patch, applying it to the sources and
> recompiling the packages.  That would be relatively easy and per se not
> a reason for a switch to poppler.  The real problem is that in almost
> all cases, the published patch does not apply because the copies of xpdf
> in pdftex, pdftohtml, cups, forgotwhat all have slightly different
> versions.  Plus we need to support our stable distribution, which meant
> patching xpdf 1.x, 2.x and 3.x at some point in Debian (with sometimes
> two or more different values for each x).

My vote is to have pdftex linked statically against xpdf
codes, and apply relevant patches to the xpdf codes in the
source tree of pdftex if needed. The responsibity should be
on the pdftex team to verify and apply any patch if needed.

> > I am a debian user myself. There was a time when my xpdf
> > segfaulted for a certain pdf. I reported the problem to
> > Derek and then we found out that the problem happened only
> > with the binaries provided by debian. Of course it's not
> > hard to guess what was Derek's reaction then.
> This is totally unrelated, because patches to the xpdf sources in Debian
> have exactly zero effect on pdftex, no matter whether it uses its own
> xpdf copy or libpoppler.

yes, this is little (if at all) related to pdftex, since I
didn't talk about pdftex in this case but xpdf. From the
perspective of an end Debian user, it doesn't look good when
the distro I use provides xpdf binary that segfaults and the
original one from Derek (with the same version) doesn't.
Which raises the question: do the patches provided by
distros really improve xpdf?

As you mentioned above, since I cannot afford the time to
learn and understand all xpdf and poppler code and related
patches, I have to trust someone who understands xpdf best
and is responsible for xpdf. For me it's the xpdf author,
Derek, and not the poppler maintainers, sorry. If a serious
problem with xpdf is found, I believe Derek would deal with
it in the way that is best to him, since after all it's also
his interest to have xpdf reliable.


More information about the tex-live mailing list