[XeTeX] How to manually create the xelatex.fmt?

Herbert Schulz herbs at wideopenwest.com
Fri Oct 21 03:17:37 CEST 2011 

On Oct 20, 2011, at 6:42 PM, Chris Travers wrote:

> On Thu, Oct 20, 2011 at 4:07 PM, Herbert Schulz <herbs at wideopenwest.com> wrote:
> 
>> Howdy,
>> 
>> I'm not at all sure I understand what you're getting at but I'm interested in understanding it. Can you give an example where something like what you hypothesize in the last paragraph has happened with the binaries or packages supplied with TeX Live?
>> 
>> Another thing I don't is that you refer to LaTeX as library that one links to while I've always just considered it as a macro packages that builds upon the ~300 or so built-in low level commands supplied by TeX (and other engines that pass the trip test) to build a higher level language closer to the way people deal with documents.
>> 
> 
> TexLive isn't old enough for the major vulnerabilities in dependencies
> that come to mind to affect it.  So it hasn't happened yet.  But
> something similar would have affected the statically linked binaries
> if TexLive was available in 2001-2002.  What happened then is a
> cautionary tale about the evils of static linking.
> 
> At the time a large portion of the industry was writing software
> statically linked against zlib (which btw, LaTeX and XeTeX both link
> against, so if the TexLive stuff is statically linked, it would be in
> the same category), which is used for a number of compression and
> decompression routines.  Nobody thought anything of it.  The code was
> believed to be secure, and to perform better when statically linked,
> so everybody did it.
> 
> Then a vulnerability was discovered
> (http://www.cert.org/advisories/CA-2002-07.html).  It seemed that if
> certain improper data was fed to zlib, one could tamper with proper
> allocation and de-allocation of memory, causing programs to crash or,
> at least in theory, insert arbitrary executable commands into a
> running program on a binary level.  Now *everybody* had to issue
> security patches.   Because so much was statically linked to zlib,
> however, it wasn't enough to just update the library.  One had to
> install patched versions of the software.  If you were on Linux, it
> was surprising the number of packages that had to be updated, all
> because of a glitch in *one* library.  If you were on Windows, you
> weren't spared either.  A lot of Microsoft software was statically
> linked to the library, meaning Windows Update went crazy (I was
> working at Microsoft's Product Support Services at the time and I
> remember this distinctly).
> 
> If TexLive had been around in 2002 and was statically linking to zlib,
> it would have been affected too.  TeX does not link against zlib but
> LaTeX and XeTeX do.
> ...

Howdy,

Of course the reverse could just as likely happen. Some binary is statically linked to a perfectly stable zlib and along comes a new zlib that turns out, unknowingly for a long time, to have vulnerabilities so all binaries that are dynamically linked to zlib are now, unknowingly, vulnerable.

Also, you say ``TeX does not link against zlib but LaTeX and XeTeX do'' and I don't understand that since LaTeX is simply a macro package that sits on top of TeX and isn't linked to anything like zlib as far as I know. XeTeX is an engine but I don't know what it's linked to.

Good Luck,

Herb Schulz
(herbs at wideopenwest dot com)

More information about the XeTeX mailing list