On Oct 20, 2011, at 6:42 PM, Chris Travers wrote: > On Thu, Oct 20, 2011 at 4:07 PM, Herbert Schulz <he...@wideopenwest.com> > wrote: > >> Howdy, >> >> I'm not at all sure I understand what you're getting at but I'm interested >> in understanding it. Can you give an example where something like what you >> hypothesize in the last paragraph has happened with the binaries or packages >> supplied with TeX Live? >> >> Another thing I don't is that you refer to LaTeX as library that one links >> to while I've always just considered it as a macro packages that builds upon >> the ~300 or so built-in low level commands supplied by TeX (and other >> engines that pass the trip test) to build a higher level language closer to >> the way people deal with documents. >> > > TexLive isn't old enough for the major vulnerabilities in dependencies > that come to mind to affect it. So it hasn't happened yet. But > something similar would have affected the statically linked binaries > if TexLive was available in 2001-2002. What happened then is a > cautionary tale about the evils of static linking. > > At the time a large portion of the industry was writing software > statically linked against zlib (which btw, LaTeX and XeTeX both link > against, so if the TexLive stuff is statically linked, it would be in > the same category), which is used for a number of compression and > decompression routines. Nobody thought anything of it. The code was > believed to be secure, and to perform better when statically linked, > so everybody did it. > > Then a vulnerability was discovered > (http://www.cert.org/advisories/CA-2002-07.html). It seemed that if > certain improper data was fed to zlib, one could tamper with proper > allocation and de-allocation of memory, causing programs to crash or, > at least in theory, insert arbitrary executable commands into a > running program on a binary level. Now *everybody* had to issue > security patches. Because so much was statically linked to zlib, > however, it wasn't enough to just update the library. One had to > install patched versions of the software. If you were on Linux, it > was surprising the number of packages that had to be updated, all > because of a glitch in *one* library. If you were on Windows, you > weren't spared either. A lot of Microsoft software was statically > linked to the library, meaning Windows Update went crazy (I was > working at Microsoft's Product Support Services at the time and I > remember this distinctly). > > If TexLive had been around in 2002 and was statically linking to zlib, > it would have been affected too. TeX does not link against zlib but > LaTeX and XeTeX do. > ...
Howdy, Of course the reverse could just as likely happen. Some binary is statically linked to a perfectly stable zlib and along comes a new zlib that turns out, unknowingly for a long time, to have vulnerabilities so all binaries that are dynamically linked to zlib are now, unknowingly, vulnerable. Also, you say ``TeX does not link against zlib but LaTeX and XeTeX do'' and I don't understand that since LaTeX is simply a macro package that sits on top of TeX and isn't linked to anything like zlib as far as I know. XeTeX is an engine but I don't know what it's linked to. Good Luck, Herb Schulz (herbs at wideopenwest dot com) -------------------------------------------------- Subscriptions, Archive, and List information, etc.: http://tug.org/mailman/listinfo/xetex
