[tex-live] Some minor patches against Build/source and perhaps something more important about ICU

Jonathan Kew jonathan_kew at sil.org
Fri Feb 29 21:28:11 CET 2008

Hi Alexis,

Thanks for your report - see comments below.

On 29 Feb 2008, at 6:27 pm, Alexis Ballier wrote:

> Now something that is probably more important: ICU has had a security
> issue recently discovered (refs [3,4,5,6]). I've never been able to
> make xetex build against system icu (either it uses internal  
> headers or
> icu does not install correctly all its headers; due to some things  
> I've
> seen in their headers I tend to think its the latter but I never  
> really
> jumped into that one);

No, xetex cannot build against the system ICU because it uses some  
extensions to support OpenType functionality that is not (yet)  
available in the standard library. (Naturally, I hope that in due  
course the necessary features will be added in ICU, at which point  
we'll be able to use the system lib, but we're not there yet.)

> anyway, the fact is that it uses its own icu
> copy that is vulnerable. I've patched this locally (better safe than
> sorry) but I'm not sure if this vulnerability can affect xetex or not.

I don't believe so. The issues described in these reports relate to  
regular expression processing, but xetex does not make any use of the  
ICU regex functions.

I'll be updating the ICU code to release 3.8.1 shortly (it's in place  
in the xetex repository, but the new version is not yet merged to  
texlive). I'd be happy to apply a patch for this issue, too, although  
as xetex does not use that part of ICU, it's not an urgent problem.


More information about the tex-live mailing list