Opened 6 years ago

Last modified 4 weeks ago

#3004 new enhancement

Update some bundled win32 libs

Reported by: Raymond Owned by: Itms
Priority: Should Have Milestone: Alpha 24
Component: Build & Packages Keywords:
Cc: Patch:

Description (last modified by elexis)

Change History (38)

comment:1 by historic_bruno, 5 years ago

Some of these have separate tickets that I'm going to close and point back here for organization purposes.

comment:2 by historic_bruno, 5 years ago

Component: Core engineBuild & Packages
Summary: update some libsUpdate some bundled win32 libs

comment:3 by historic_bruno, 5 years ago

Description: modified (diff)

comment:4 by historic_bruno, 5 years ago

Separate ticket for specific OpenAL Soft bugfix: #3100

comment:5 by leper, 5 years ago

We currently ship ICU 52, while the last release is 55. (Which includes some language names for eg Gaelic (which is included in release bundles). See

comment:6 by historic_bruno, 5 years ago

Description: modified (diff)

r16515 updated Gloox to 1.0.13.

comment:7 by ben, 5 years ago

In 17280:

Updates precompiled win32 libpng to 1.6.19, built with VC++ 2013 (v120_xp toolset), refs #3004.
Rebuilds zlib with VC++ 2013.

comment:8 by historic_bruno, 5 years ago

Description: modified (diff)

comment:9 by historic_bruno, 5 years ago

Description: modified (diff)

comment:10 by fabio, 5 years ago

Description: modified (diff)

comment:11 by Raymond, 5 years ago

please update libcurl to 7.45.0 wich fixed some CVE (in 7.43.0)

comment:12 by ben, 5 years ago

In 17354:

Updates precompiled win32 libcurl to v7.45.0, built with VC++ 2013 (v120_xp toolset) and no SSL/zlib support, refs #3004

comment:13 by historic_bruno, 5 years ago

Description: modified (diff)

comment:14 by ben, 5 years ago

In 17659:

Updates precompiled win32 ICU to 56.1, built with VC++ 2013 (XP toolset). Refs #3004

comment:15 by historic_bruno, 5 years ago

Description: modified (diff)

comment:16 by historic_bruno, 5 years ago

Description: modified (diff)

comment:17 by ben, 5 years ago

In 17680:

Updates precompiled win32 libpng to 1.6.21, built with VC++ 2013 (v120_xp toolset), refs #3004.

comment:18 by historic_bruno, 5 years ago

Description: modified (diff)

comment:19 by ben, 5 years ago

In 17694:

Updates some precompiled win32 libraries with VC++ 2013 (v120_xp toolset), refs #3004:
Updates libxml2 to 2.9.3.
Rebuilds libiconv and FCollada.

comment:20 by historic_bruno, 5 years ago

Description: modified (diff)

comment:21 by ben, 5 years ago

In 17698:

Removes Boost 1.56 libs for Windows, refs #3004

comment:22 by ben, 5 years ago

In 17699:

Adds subset of Boost 1.60 libs for win32, built with VC++ 2013, refs #3004

comment:23 by historic_bruno, 5 years ago

Description: modified (diff)

comment:24 by ben, 5 years ago

In 17701:

Updates bundled win32 OpenAL Soft to 1.17.1, built with VC++ 2013 (v120_xp toolset), refs #3004

comment:25 by Itms, 3 years ago

In 19608:

Update precompiled win32 gloox lib to 1.0.20 and rebuild glooxwrapper, fixes #4564, refs #3004.

This gloox version includes a change that would improve the user experience when registrations are disabled or limited, refs #3771.

Reviewed By: vladislavbelov

Differential Revision:

comment:26 by elexis, 3 years ago

Description: modified (diff)
Milestone: BacklogAlpha 22

comment:27 by elexis, 3 years ago

Notice on linux, we can get DLL version infos from the file using exiftool file.dll.

Here an overview of the currently committed windows DLLs.

TLDR: not convinced that these few publicly known issues can affect us. There are no metasploit modules available, so script kiddies can't do anything and we don't seem to have haters that are serious enough to try to leverage something out of this. In almost every case they would only be able to crash the game after talking people into installing a maliciously crafted broken mod.

Only the NSPR printf issue sounds like it might affect us, but I'm not sure if that library is still in use anymore.

Furthermore some of the library look like they can be deleted.

Product name gloox
Usage multiplayer lobby communication
Files gloox-1.0.dll
Current version 1.0.20
Latest Stable 1.0.20
Commits r19608
CVE Couldn't find anything neither in CVE nor elsewhere

Product name SpiderMonkey
Usage multiplayer lobby communication
Files mozjs38-ps-debug.dll
Current version 38
Latest Stable 45
Commits #3708
CVE Couldn't find a SM product in the CVE db, but there have been some in the past, f.e.

Product name Debugging Tools for Windows
Usage Windows debugging
Files dbghelp.dll
Current version 6.8.0004.0 (debuggers(dbg).070515-1751)
Latest Stable 6.12
Commits r6060, r1457
CVE Couldn't find anything neither in CVE nor elsewhere

Product name C standard library for the Visual C++ (MSVC)
Usage Build
Files msvcrt.dll
Current version 6.10.9844.0
Latest Stable 6.12
Commits r15531 from 2014-07-14:
"Oops, dbghelp.dll still depends on msvcrt.dll, so I'll revert that file for now :( We're not using the latest version, maybe the latest doesn't depend on such an ancient MSVC runtime. "
CVE Couldn't find a SM product in the CVE db
Deletable Sounds like it

Product name enet
Usage UDP networking multiplayer
Files enetd.dll
Current version 1.3.12
Latest Stable 1.3.13
Commits r15457 r9577
CVE Couldn't find anything on CVE nor elsewhere

Product name FCollada
Usage Colla interoperability / 3D file format
Files FColladaD.dll
Current version Must be 3.04C (2007)
Latest Stable 3.04C
Source ?
Commits r17694
CVE Couldn't find anything on CVE nor elsewhere

Product name ICU (International Components for Unicode)
Usage Build
Files icudt56.dll
Current version 56
Latest Stable 59
Commits r17659
CVE Only buffer overflows that allow crashing apparently publicly known

Product name lib cURL
Usage http up/downloads, user reporter
Files libcurld.dll
Current version 7.45
Latest Stable 7.54
Commits r17354
CVE None known to the current version

Product name libiconv (internationalization conversion)
Usage character set mess
Files libiconv.dll
Current version 1.14
Latest Stable 1.15
Commits r17694
CVE Could only vulns for software that uses libiconv

Product name libpng
Usage Image files
Files libpng16d.dll
Current version
Latest Stable 1.6.29
Commits r17680
CVE Only 2 and those don't really matter (someone could create a broken mod)

Product name libxml2
Usage XML files
Files libxml2.dll
Current version 2.9.3
Latest Stable 2.9.4
Commits r17694
CVE exploitable if someone offers a malicious mod
Only this one sounds interesting, remote code execution when providing a crafted XML:
"A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application."

Product name miniupnp client
Usage hosting multiplayer games via universal plug & play
Files miniupnpcd.dll
Current version 1.9.20151008
Latest Stable 2.0.20170509
Commits r17119
CVE client is fine, deamon has some issues
deamon (which we don't use, do we?)

Product name Microsoft Visual Studio 10 runtime
Usage Visual Studio 10 support
Files msvcp100d.dll
Current version 10.0.40219.1
Latest Stable ?
Commits r13983 Adds vc100 redist C runtimes to support future libs built with vs2010
CVE only relevant when using a malicious DLL
Deletable Sounds like it, do we need to support VS2010?

Product name Visual C++ Redistributable Packages for Visual Studio 2013
Usage Visual Studio debugging
Files msvcp120d.dll
Current version 12.0.21005.1
Latest Stable ?
Commits r16021
Visual Studio 2012 had some exploit, but doesn't apply to 2013 apparently:

Product name Netscape Portable Runtime
Usage SpiderMonkey 24 / 31 leftover?
Files nspr4.dll
Current version
Latest Stable 4.15
Commits r16214 r14876
CVE printf buffer overflow, which sounds exploitable, but is this actually in use?
Deletable Sounds like it
"When building a version older than 28, you'll additionally need NSPR."
"On POSIX platforms, building a threadsafe shell no longer requires NSPR."

Product name NVIDIA Texture Tools
Usage Doing things with textures?
Files nvtt.dll
Current version 2.0.8 (according to the commit date and no release after 2010 before 2016).
Latest Stable 2.1.0
Commits r15455
CVE Changelog 2.1.0 doesn't contain anything about security

Product name libogg & libvorbis
Usage playing audio
Files ogg_d.dll
Current version libogg to v1.3.2 and libvorbis to 1.3.4
Latest Stable libogg to v1.3.2 and libvorbis to 1.3.5
Commits r15419
CVE libvorbis 1.3.5 fixed crashes but no exploits

Product name OpenAL32
Usage 3D audio
Files OpenAL32.dll
Current version 1.17.1
Latest Stable 1.18.0
Commits r17701
CVE No vulnerabilities in the changelog. CVEs only about JogAmp using this lib

Product name SDL 2
Usage Keyboard, Mouse, Window events
Files SDL2.dll
Current version 2.0.4
Latest Stable 2.0.5
Commits r17658
CVE No vulnerabilities publicly known
Only SDL1 CVE:

Product name zlib
Usage un/zipping mods, savegames, rejoinstates
Files zlib1d.dll
Current version 1.2.8
Latest Stable 1.2.11
Commits r17280
CVE 4 out of bound reads which could cause a crash
Last edited 3 years ago by elexis (previous) (diff)

comment:28 by leper, 3 years ago

Regarding NSPR that is most likely still required (see all those comments that indicate that only applies to POSIX-like platforms; but I guess someone trying to build SpiderMonkey without it will be able to tell you).

Source of FCollada is libraries/source, since we are somewhat maintaining (as in not touching it unless it breaks) that as upstream closed down the source and the few tickets about merging that with some other slightly different forks of it went nowhere (#562)

About NVTT that is 2.0.8 with lots of patches (again libraries/source), see #4549.

CVE-2017-8798 is in miniupnpc not miniupnpd, see the upstream changelog or if you want more details look at the actual commit.

Currently the only supported VS version is 2013 (see BuildInstructions), however some of those libs might have been built with 2010 and thus require that dll (yes, rebuilding all of them would fix that).

Also you seem to be missing boost (most likely no security issues, but maybe perf improvements). And if we are updating things we might also want to update wxWidgets on the windows autobuild box.

comment:29 by Itms, 3 years ago

In 19895:

Upgrade a few bundled Windows libraries, refs #3004.

Upgrade enet to 1.3.13.
Upgrade zlib to 1.2.11.
Upgrade libpng to 1.6.29.
Upgrade libxml2 to 2.9.4.

Reviewed By: Imarok
Differential Revision:

comment:30 by Itms, 3 years ago

Milestone: Alpha 22Alpha 23
Owner: set to Itms

I'm not managing to build miniupnpc, so I'm pushing this to A23.

comment:31 by elexis, 3 years ago

libjpeg-turbo recommended in Phab:D779, refs #2828
video transcoder and player recommended in #4724

comment:32 by Itms, 3 years ago

In 20407:

Update Boost to 1.65.1 and provide static libs (built with XP toolset) for upcoming VS 2015 support.
Tested by Vladislav, refs #3004.

comment:33 by Itms, 2 years ago

Milestone: Alpha 23Alpha 24

comment:34 by fabio, 2 years ago

Given #4790 was recently closed, here is an update of latest libraries and current status (to be A23) for Windows:

Most are a bit behind and some are possibly security related.

Last edited 2 years ago by fabio (previous) (diff)

comment:35 by fabio, 2 years ago

Some security fixes updating to latest versions:

  • curl 7.58 -> 7.59 fixes: CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 + others from 7.45 -> 7.58
  • miniupnpc ​2.0.20180222 -> 2.0.20170509 fixes: "Fix buffer over run in minixml.c", "Fix uninitialized variable access in upnpreplyparse.c"
  • libvorbis 1.3.5 -> 1.3.6 fixes: CVE-2018-5146, CVE-2017-14632, CVE-2017-14633
  • libxml2 2.9.4 -> 2.9.8: many security fixes

Would be nice if someone could update some of those before A23.

comment:36 by Itms, 2 years ago

In 21683:

Update libcurl to 7.59.0 on Windows and enable SSL support on Windows and macOS.
Refs #3004, #4362.

comment:37 by Itms, 7 months ago

r23302 updated libsodium to 1.0.18.

comment:38 by Itms, 4 weeks ago

In 23814:

Rebuild zlib 1.2.11 and upgrade libpng to 1.6.37, on Windows, with toolset v140_xp. Refs #3004.

Note: See TracTickets for help on using tickets.