[XeTeX] How to manually create the xelatex.fmt?

Chris Travers chris.travers at gmail.com
Fri Oct 21 01:42:57 CEST 2011


On Thu, Oct 20, 2011 at 4:07 PM, Herbert Schulz <herbs at wideopenwest.com> wrote:

> Howdy,
>
> I'm not at all sure I understand what you're getting at but I'm interested in understanding it. Can you give an example where something like what you hypothesize in the last paragraph has happened with the binaries or packages supplied with TeX Live?
>
> Another thing I don't is that you refer to LaTeX as library that one links to while I've always just considered it as a macro packages that builds upon the ~300 or so built-in low level commands supplied by TeX (and other engines that pass the trip test) to build a higher level language closer to the way people deal with documents.
>

TexLive isn't old enough for the major vulnerabilities in dependencies
that come to mind to affect it.  So it hasn't happened yet.  But
something similar would have affected the statically linked binaries
if TexLive was available in 2001-2002.  What happened then is a
cautionary tale about the evils of static linking.

At the time a large portion of the industry was writing software
statically linked against zlib (which btw, LaTeX and XeTeX both link
against, so if the TexLive stuff is statically linked, it would be in
the same category), which is used for a number of compression and
decompression routines.  Nobody thought anything of it.  The code was
believed to be secure, and to perform better when statically linked,
so everybody did it.

Then a vulnerability was discovered
(http://www.cert.org/advisories/CA-2002-07.html).  It seemed that if
certain improper data was fed to zlib, one could tamper with proper
allocation and de-allocation of memory, causing programs to crash or,
at least in theory, insert arbitrary executable commands into a
running program on a binary level.  Now *everybody* had to issue
security patches.   Because so much was statically linked to zlib,
however, it wasn't enough to just update the library.  One had to
install patched versions of the software.  If you were on Linux, it
was surprising the number of packages that had to be updated, all
because of a glitch in *one* library.  If you were on Windows, you
weren't spared either.  A lot of Microsoft software was statically
linked to the library, meaning Windows Update went crazy (I was
working at Microsoft's Product Support Services at the time and I
remember this distinctly).

If TexLive had been around in 2002 and was statically linking to zlib,
it would have been affected too.  TeX does not link against zlib but
LaTeX and XeTeX do.

Similarly, arbitrary code execution vulnerabilities have been found in
2005 in libjpeg (also linked to by LaTeX and XeTeX).  Again these
predate TexLive.

So my answer is that TexLive binaries, distributed as they currently
are, are simply too young to have hit the major cases of these
problems so far.  However, the library dependencies are anything but
trivial-- ldd gives me 17 libraries that xetex is linked against and
15 that latex is linked against.  It seems for those of us with a
longer memory, extensive static linking is asking for trouble....

Best Wishes,
Chris Travers



More information about the XeTeX mailing list