t1lib needs patch for afm parser; has other unpatched issues

[gnw3]

t1lib is the subject of 4 Security Vulnerabilities Published In 2011 ​http://www.cvedetails.com/cve/CVE-2011-1554/ ​http://www.cvedetails.com/cve/CVE-2011-1553/ ​http://www.cvedetails.com/cve/CVE-2011-1552/ ​http://www.cvedetails.com/cve/CVE-2011-0764/

and in 2010: ​http://www.cvedetails.com/cve/CVE-2010-2642/, ​http://secunia.com/advisories/cve_reference/CVE-2010-2642/

texlive 2011-pretest provides a patch for some issues in the AFM parser:

patch-01-buffer-limit (new): Avoid buffer overflow in

lib/t1lib/parseAFM.c token() and linetoken(). ​http://secunia.com/advisories/43491/

[gnw3]

Avoid buffer overflow in lib/t1lib/parseAFM.c token() and linetoken().

[gnw3]

Cc Me!

[gnw3]

Note that the patch file was intended to use "patch -p1".

On my system, t1lib was being used for texlive and xpdf. For xpdf, upstream suggests that t1lib not be used (#29629). I'm investigating how t1lib is used by texlive.

[jmroot (Joshua Root)]

Adding maintainers of ports that use t1lib (evince, pTeX, texlive-bin, xpdf) to Cc.

[drkp (Dan Ports)]

Replying to gnwiii@…:

I'm investigating how t1lib is used by texlive.

It's used by xdvi, and some related utilities. Beyond that, I'm not sure.

[drkp (Dan Ports)]

I committed the patch in r79146.

The other issues still remain. Do you know if there are patches available for any of them?

[gnw3]

Replying to dports@…:

I committed the patch in r79146.

The other issues still remain. Do you know if there are patches available for any of them?

I haven't encountered more patches. I'm watching to see what problems crop up in xpdf to see if we can live without t1lib.

[jmroot (Joshua Root)]

Closing as it's been 6 years, so this seems to be as patched as it's going to get. If anyone has more patches to fix these issues, feel free to reopen and attach them, or open a PR on GitHub.