dvipng
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed

From: Jan-Ake Larsson
Subject: Re: [Dvipng] address@hidden: Re: [vendor-sec] Re: [tlsecurity] Embargoed security issue in TeX Live (texlive-bin)]
Date: Wed, 17 Mar 2010 09:27:14 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; sv-SE; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 
Jan-Åke Larsson skrev 03/17/2010 07:53 AM:
> On 2010-03-16 23:13, Karl Berry wrote:
>> Please see this report.  Can you provide a patch?
> 
> Yes. I'll do that this afternoon.

The weakness in SetChar and SetGlyph was fixed in dvipng 1.10 (2008).

The weakness in SetVF remains, though. (Although, in SetVF, the data is
never modified, a virtual font is read beforehand. The result would be
that data from that position would be interpreted as DVI op-codes, and
be output in the PNG as glyphs or whatnot. Other checks would probably
signal strange errors.)

Anyhow, that sort of thing should be fixed. I'll see to that ASAP.

Thanks,
/JÅ
reply via email to
[Prev in Thread] Current Thread [Next in Thread]