[XeTeX] [srl at icu-project.org: [HarfBuzz] Fwd: Patch: Multiple security vulnerabilities in ICU Layout Engine]

Khaled Hosny khaledhosny at eglug.org
Sat Apr 20 09:35:03 CEST 2013


Check the last paragraph :)

Regards,
Khaled

---------- Forwarded message ----------
From: *Steven R. Loomis*
Date: Friday, April 19, 2013
Subject: Patch: Multiple security vulnerabilities in ICU Layout Engine
To: icu-announce at lists.sourceforge.net


(FYI: I did not mention HarfBuzz in the post to icu-announce. However, the
download page does mention it.)

( This information is available on http://site.icu-project.org/download/51 )

Dear ICU  users and friends,
 Please find below information about a patch, affecting ALL versions of the
ICU layout engine.


   - 2013-Apr-18: Security Vulnerabilities in the Layout Engine.
      http://bugs.icu-project.org/trac/ticket/10107  (ALL prior versions)
      *Applications which use fonts from untrusted sources are vulnerable
      to security issues.*
         - *Scope: *These issues do not affect applications which don't use
         the ICU Layout Engine. These issues would primarily affect
applications
         which process fonts from untrusted sources, such as webfonts.
         - *NOTE: *Applications *must* implement
*LEFontInstance::getFontTable(LETag,
         size_t &length) * in their LEFontInstance subclasses, so that ICU
         can properly bounds-check font tables.
         - *Cross Reference: *The following RedHat Bug #s, CVEs, and Oracle
         Java bug#s are fixed by the following patch, which is
synchronized with the
         Java 1.7 u update 21:
            -
            - RH# 952656 - CVE-2013-2419 OpenJDK: font processing errors
            (2D, Java #8001031)
            - RH# 952708 - CVE-2013-2383 OpenJDK: font layout and glyph
            table errors (2D, Java #8004986)
            - RH# 952709 - CVE-2013-2384 OpenJDK: font layout and glyph
            table errors (2D, Java #8004987)
            - RH# 952711 - CVE-2013-1569 OpenJDK: font layout and glyph
            table errors (2D, Java #8004994)
         - Patch is located at:  the 'known issues' section of:
         http://site.icu-project.org/download/51


   - *HarfBuzz: *users of ICU Layout are *strongly* encouraged to consider
      the HarfBuzz
project<http://www.freedesktop.org/wiki/Software/HarfBuzz> as
      a replacement for the ICU Layout Engine.  An ICU team member responsible
      for the Layout Engine is contributing fixes and features to
HarfBuzz, and a
      drop in wrapper is available to allow use of HarfBuzz as a direct
      replacement for the ICU layout engine. See:
      http://www.freedesktop.org/wiki/Software/HarfBuzz

----- End forwarded message -----


More information about the XeTeX mailing list