thr3ads.net - Secure testing team - [Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing) [Sep 2009]

If this information is useful, please help other people find it:
Share via:

Frank Küster

2009-Sep-17 12:11 UTC

[Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)

Hi,

This DSA made me aware that there might be a problem in texlive. It
contains a changed copy of libicu; the changes are needed by xetex, and
xetex upstream intends to have them merged. But for the time being, the
code copy is there.

I fear I won''t have time to work on a security update of texlive right
now, and Norbert is busy as well. 

I have added the information to embedded-code-copies, a diff (which also
includes some more TeXLive-related corrections) is attached.

Regards, Frank


-- 
Dr. Frank K?ster
Debian Developer (TeXLive)
VCD Aschaffenburg-Miltenberg, ADFC Miltenberg
B90/Gr?ne KV Miltenberg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: embedded-code-copies.diff
Type: text/x-diff
Size: 1612 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090917/10db665a/attachment.diff>

Michael Gilbert

2009-Sep-17 16:09 UTC

head link

[Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)

On Thu, 17 Sep 2009 14:11:16 +0200, Frank K?ster wrote:> Hi,
> 
> This DSA made me aware that there might be a problem in texlive. It
> contains a changed copy of libicu; the changes are needed by xetex, and
> xetex upstream intends to have them merged. But for the time being, the
> code copy is there.
> 
> I fear I won''t have time to work on a security update of texlive
right
> now, and Norbert is busy as well. 
> 
> I have added the information to embedded-code-copies, a diff (which also
> includes some more TeXLive-related corrections) is attached.
thanks for the info.  a couple questions:

1. why should texlive-base be removed from the xpdf embeds?  its
already being tracked as fixed.

2. if there is no build-dep for texlive-bin on t1, how are you sure that
that link is being done correctly, and not falling back on the embed?

also note that <unknown> means that the issue is fixed, we just
don''t
know which version is the first that had the fix, so those issues
shouldn''t be marked <not-affected>.

mike

Secure testing team - Sep 2009 - Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)

[Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)

[Secure-testing-team] Embedded ICU copy in texlive-bin (was: [SECURITY] [DSA 1889-1] New icu packages correct multibyte sequence parsing)