Fwd: [USN-6695-1] TeX Live vulnerabilities

Norbert Preining norbert at preining.info
Fri Mar 15 03:18:04 CET 2024


On Thu, 14 Mar 2024, Karl Berry wrote:
>     https://ubuntu.com/security/notices/USN-6695-1

Uggh what?
> An attacker could possibly use this issue to cause TeX Live
> to crash, resulting in a denial of service.

Complete rubbish, who wrote that?

> Anyway, if someone can unearth the actual patches from Ubuntu's

I think all this is already in TL since long:
	https://github.com/TeX-Live/texlive-source/pull/63
and
	2024-01-21  Karl Berry  <karl at freefriends.org>

	* libttf/hdmx.c (ttfLoadHDMX): calloc the number of widths that we
	actually read, namely numGlyphs+1. I don't understand why this
	is numGlyphs+1 and not numGlyphs, per
	https://developer.apple.com/fonts/TrueType-Reference-Manual/RM06/Chap6hdmx.html
	but since the program has always read numGlyphs+1, just leaving it.
	Report (and alternate fix) from attackoncs,
	https://github.com/TeX-Live/texlive-source/pull/63

Best wishes

Norbert

--
PREINING Norbert                              https://www.preining.info
arXiv / Cornell University   +   IFMGA Guide   +   TU Wien  +  TeX Live
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13


More information about the tex-live mailing list.