texlive, fix for CVE-2018-17407
|Reported by:||Owned by:|
An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.
This applies to past years too.
Binary users should obviously update.
I found a patch at fedora (couldn't get anywhere in texlive svn). But (on 8.3) failed to build with -j8. Retrying with -j1.
Note that debian-unstable and testing seem to be using *current* svn, and I noticed they had issues with some libraries.