[tex-live] TeXLive2007: Bug in (Xe)TeX for 64bit and big endianess
Frank Küster
frank at kuesterei.ch
Wed May 9 10:17:45 CEST 2007
"Thanh Han The" <hanthethanh at gmail.com> wrote:
> I also never wanted poppler instead of xpdf and never voted
> for it. I doubt very much it would bring any advantage at
> all, while the problems it caused are quite obvious.
Sorry, but it's not your choice. Ubuntu started using it, our security
team urged us to do the same, Suse does it, and I am not the one to
decide, really.
Although I must say I wholeheartedly agree with it. The impact of
security bugs in xpdf code may be small, but it's a general policy of
Linux distributors to either fix security issues once they are known, or
to show that they do not apply or are not exploitable in a given
incarnation of the code.
As long as pdftex ships a complete copy of xpdf code, I wouldn't dare to
judge "doesn't apply" without at least an intermediate level of
understanding of xpdf and how pdftex uses it. I don't have that
understanding and cannot afford the time to learn it, and I fear that's
true for most people responsible for those packages in Linux distros,
even those who get paid for their distribution work.
So we're left with fixing the bugs, but that is, unfortunately, *not*
just a question of taking the xpdf patch, applying it to the sources and
recompiling the packages. That would be relatively easy and per se not
a reason for a switch to poppler. The real problem is that in almost
all cases, the published patch does not apply because the copies of xpdf
in pdftex, pdftohtml, cups, forgotwhat all have slightly different
versions. Plus we need to support our stable distribution, which meant
patching xpdf 1.x, 2.x and 3.x at some point in Debian (with sometimes
two or more different values for each x).
> I am a debian user myself. There was a time when my xpdf
> segfaulted for a certain pdf. I reported the problem to
> Derek and then we found out that the problem happened only
> with the binaries provided by debian. Of course it's not
> hard to guess what was Derek's reaction then.
This is totally unrelated, because patches to the xpdf sources in Debian
have exactly zero effect on pdftex, no matter whether it uses its own
xpdf copy or libpoppler.
Regards, Frank
--
Dr. Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX/TeXLive)
More information about the tex-live
mailing list