[tex-live] Some minor patches against Build/source and perhaps something more important about ICU
jonathan_kew at sil.org
Fri Feb 29 21:28:11 CET 2008
Thanks for your report - see comments below.
On 29 Feb 2008, at 6:27 pm, Alexis Ballier wrote:
> Now something that is probably more important: ICU has had a security
> issue recently discovered (refs [3,4,5,6]). I've never been able to
> make xetex build against system icu (either it uses internal
> headers or
> icu does not install correctly all its headers; due to some things
> seen in their headers I tend to think its the latter but I never
> jumped into that one);
No, xetex cannot build against the system ICU because it uses some
extensions to support OpenType functionality that is not (yet)
available in the standard library. (Naturally, I hope that in due
course the necessary features will be added in ICU, at which point
we'll be able to use the system lib, but we're not there yet.)
> anyway, the fact is that it uses its own icu
> copy that is vulnerable. I've patched this locally (better safe than
> sorry) but I'm not sure if this vulnerability can affect xetex or not.
I don't believe so. The issues described in these reports relate to
regular expression processing, but xetex does not make any use of the
ICU regex functions.
I'll be updating the ICU code to release 3.8.1 shortly (it's in place
in the xetex repository, but the new version is not yet merged to
texlive). I'd be happy to apply a patch for this issue, too, although
as xetex does not use that part of ICU, it's not an urgent problem.
More information about the tex-live