Opened 4 years ago

Last modified 6 months ago

#3004 new enhancement

Update some bundled win32 libs

Reported by: Raymond Owned by: Itms
Priority: Should Have Milestone: Alpha 24
Component: Build & Packages Keywords:
Cc: Patch:

Change History (36)

comment:1 Changed 4 years ago by Ben Brian

Some of these have separate tickets that I'm going to close and point back here for organization purposes.

comment:2 Changed 4 years ago by Ben Brian

Component: Core engineBuild & Packages
Summary: update some libsUpdate some bundled win32 libs

comment:3 Changed 4 years ago by Ben Brian

Description: modified (diff)

comment:4 Changed 4 years ago by Ben Brian

Separate ticket for specific OpenAL Soft bugfix: #3100

comment:5 Changed 3 years ago by leper

We currently ship ICU 52, while the last release is 55. (Which includes some language names for eg Gaelic (which is included in release bundles). See http://wildfiregames.com/forum/index.php?showtopic=19826.

comment:6 Changed 3 years ago by Ben Brian

Description: modified (diff)

r16515 updated Gloox to 1.0.13.

comment:7 Changed 3 years ago by ben

In 17280:

Updates precompiled win32 libpng to 1.6.19, built with VC++ 2013 (v120_xp toolset), refs #3004.
Rebuilds zlib with VC++ 2013.

comment:8 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:9 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:10 Changed 3 years ago by fabio

Description: modified (diff)

comment:11 Changed 3 years ago by Raymond

please update libcurl to 7.45.0 wich fixed some CVE (in 7.43.0)

comment:12 Changed 3 years ago by ben

In 17354:

Updates precompiled win32 libcurl to v7.45.0, built with VC++ 2013 (v120_xp toolset) and no SSL/zlib support, refs #3004

comment:13 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:14 Changed 3 years ago by ben

In 17659:

Updates precompiled win32 ICU to 56.1, built with VC++ 2013 (XP toolset). Refs #3004

comment:15 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:16 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:17 Changed 3 years ago by ben

In 17680:

Updates precompiled win32 libpng to 1.6.21, built with VC++ 2013 (v120_xp toolset), refs #3004.

comment:18 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:19 Changed 3 years ago by ben

In 17694:

Updates some precompiled win32 libraries with VC++ 2013 (v120_xp toolset), refs #3004:
Updates libxml2 to 2.9.3.
Rebuilds libiconv and FCollada.

comment:20 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:21 Changed 3 years ago by ben

In 17698:

Removes Boost 1.56 libs for Windows, refs #3004

comment:22 Changed 3 years ago by ben

In 17699:

Adds subset of Boost 1.60 libs for win32, built with VC++ 2013, refs #3004

comment:23 Changed 3 years ago by Ben Brian

Description: modified (diff)

comment:24 Changed 3 years ago by ben

In 17701:

Updates bundled win32 OpenAL Soft to 1.17.1, built with VC++ 2013 (v120_xp toolset), refs #3004

comment:25 Changed 16 months ago by Itms

In 19608:

Update precompiled win32 gloox lib to 1.0.20 and rebuild glooxwrapper, fixes #4564, refs #3004.

This gloox version includes a change that would improve the user experience when registrations are disabled or limited, refs #3771.

Reviewed By: vladislavbelov

Differential Revision: https://code.wildfiregames.com/D483

comment:26 Changed 15 months ago by elexis

Description: modified (diff)
Milestone: BacklogAlpha 22

comment:27 Changed 15 months ago by elexis

Notice on linux, we can get DLL version infos from the file using exiftool file.dll.

Here an overview of the currently committed windows DLLs.

TLDR: not convinced that these few publicly known issues can affect us. There are no metasploit modules available, so script kiddies can't do anything and we don't seem to have haters that are serious enough to try to leverage something out of this. In almost every case they would only be able to crash the game after talking people into installing a maliciously crafted broken mod.

Only the NSPR printf issue sounds like it might affect us, but I'm not sure if that library is still in use anymore.

Furthermore some of the library look like they can be deleted.


Product name gloox
Usage multiplayer lobby communication
Files gloox-1.0.dll
gloox-1.0d.dll
glooxwrapper_dbg.dll
glooxwrapper.dll
Current version 1.0.20
Latest Stable 1.0.20
Source https://camaya.net/gloox/
Commits r19608
CVE Couldn't find anything neither in CVE nor elsewhere

Product name SpiderMonkey
Usage multiplayer lobby communication
Files mozjs38-ps-debug.dll
mozjs38-ps-release.dll
Current version 38
Latest Stable 45
Source https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases
Commits #3708
CVE Couldn't find a SM product in the CVE db, but there have been some in the past, f.e. http://www.phrack.org/papers/attacking_javascript_engines.html

Product name Debugging Tools for Windows
Usage Windows debugging
Files dbghelp.dll
Current version 6.8.0004.0 (debuggers(dbg).070515-1751)
Latest Stable 6.12
Source https://msdn.microsoft.com/en-US/library/windows/desktop/ms679294(v=vs.85).aspx
Commits r6060, r1457
CVE Couldn't find anything neither in CVE nor elsewhere

Product name C standard library for the Visual C++ (MSVC)
Usage Build
Files msvcrt.dll
Current version 6.10.9844.0
Latest Stable 6.12
Source https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#MSVCRT.DLL.2C_MSVCP.2A.DLL_and_CRTDLL.DLL
Commits r15531 from 2014-07-14:
"Oops, dbghelp.dll still depends on msvcrt.dll, so I'll revert that file for now :( We're not using the latest version, maybe the latest doesn't depend on such an ancient MSVC runtime. "
CVE Couldn't find a SM product in the CVE db
Deletable Sounds like it

Product name enet
Usage UDP networking multiplayer
Files enetd.dll
enet.dll
Current version 1.3.12
Latest Stable 1.3.13
Source http://enet.bespin.org/Downloads.html
https://github.com/lsalzman/enet/blob/master/ChangeLog
Commits r15457 r9577
CVE Couldn't find anything on CVE nor elsewhere

Product name FCollada
Usage Colla interoperability / 3D file format
Files FColladaD.dll
FCollada.dll
Current version Must be 3.04C (2007)
Latest Stable 3.04C
Source https://www.khronos.org/collada/wiki/FCollada ?
Commits r17694
CVE Couldn't find anything on CVE nor elsewhere

Product name ICU (International Components for Unicode)
Usage Build
Files icudt56.dll
icuin56.dll
icuio56.dll
icule56.dll
iculx56.dll
icutu56.dll
icuuc56.dll
Current version 56
Latest Stable 59
Source http://site.icu-project.org/download
Commits r17659
CVE Only buffer overflows that allow crashing apparently publicly known
https://www.cvedetails.com/vulnerability-list/vendor_id-7624/Icu-Project.html
https://www.cvedetails.com/vulnerability-list/vendor_id-7624/product_id-12882/version_id-200339/Icu-Project-International-Components-For-Unicode-57.1.html
https://www.cvedetails.com/vulnerability-list/vendor_id-7624/product_id-12882/version_id-212612/Icu-Project-International-Components-For-Unicode-58.2.html

Product name lib cURL
Usage http up/downloads, user reporter
Files libcurld.dll
libcurl.dll
Current version 7.45
Latest Stable 7.54
Source https://curl.haxx.se/libcurl/
Commits r17354
CVE None known to the current version https://www.cvedetails.com/version-search.php?vendor=+Libcurl&product=&version=

Product name libiconv (internationalization conversion)
Usage character set mess
Files libiconv.dll
Current version 1.14
Latest Stable 1.15
Source https://www.gnu.org/software/libiconv/
https://github.com/bnoordhuis/libiconv/blob/master/ChangeLog
Commits r17694
CVE Could only vulns for software that uses libiconv

Product name libpng
Usage Image files
Files libpng16d.dll
libpng16.dll
Current version 1.6.21.0
Latest Stable 1.6.29
Source http://www.libpng.org/pub/png/libpng.html
Commits r17680
CVE Only 2 and those don't really matter (someone could create a broken mod)
http://www.cvedetails.com/version-list/7294/12271/1/Libpng-Libpng.html
http://www.cvedetails.com/vulnerability-list/vendor_id-7294/product_id-12271/version_id-61916/Libpng-Libpng-Beta1.html
http://www.cvedetails.com/vulnerability-list/vendor_id-7294/product_id-12271/version_id-208677/Libpng-Libpng-1.6.26.html

Product name libxml2
Usage XML files
Files libxml2.dll
Current version 2.9.3
Latest Stable 2.9.4
Source http://xmlsoft.org/news.html
Commits r17694
CVE exploitable if someone offers a malicious mod
https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-194802/Xmlsoft-Libxml2-2.9.3.html
https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-200282/Xmlsoft-Libxml2-2.9.4.html
Only this one sounds interesting, remote code execution when providing a crafted XML:
https://www.cvedetails.com/cve/CVE-2016-4448/
"A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application."

Product name miniupnp client
Usage hosting multiplayer games via universal plug & play
Files miniupnpcd.dll
miniupnpc.dll
Current version 1.9.20151008
Latest Stable 2.0.20170509
Source http://miniupnp.free.fr/
Commits r17119
CVE client is fine, deamon has some issues
client:
https://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-32572/Miniupnp-Project-Miniupnp.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798
deamon (which we don't use, do we?)
http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/version_id-171397/Miniupnp-Project-Miniupnpd-1.9.html
http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/version_id-213986/Miniupnp-Project-Miniupnpd-2.0.html

Product name Microsoft Visual Studio 10 runtime
Usage Visual Studio 10 support
Files msvcp100d.dll
msvcp100.dll
msvcr100d.dll
msvcr100.dll
Current version 10.0.40219.1
Latest Stable ?
Source https://www.microsoft.com/de-de/download/details.aspx?id=5555
Commits r13983 Adds vc100 redist C runtimes to support future libs built with vs2010
CVE only relevant when using a malicious DLL
https://www.cvedetails.com/version-list/26/3847/1/Microsoft-Visual-C-.html
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3847/version_id-107129/Microsoft-Visual-C--2010.html
Deletable Sounds like it, do we need to support VS2010?

Product name Visual C++ Redistributable Packages for Visual Studio 2013
Usage Visual Studio debugging
Files msvcp120d.dll
msvcp120.dll
msvcr120d.dll
msvcr120.dll
Current version 12.0.21005.1
Latest Stable ?
Source https://www.microsoft.com/de-de/download/details.aspx?id=40784
Commits r16021
CVE No CVEs
Visual Studio 2012 had some exploit, but doesn't apply to 2013 apparently:
https://www.cvedetails.com/version-list/26/676/1/Microsoft-Visual-Studio.html

Product name Netscape Portable Runtime
Usage SpiderMonkey 24 / 31 leftover?
Files nspr4.dll
plc4.dll
plds4.dll
Current version 4.10.7.0
Latest Stable 4.15
Source https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR
https://ftp.mozilla.org/pub/nspr/releases/
https://hg.mozilla.org/projects/nspr/tags
Commits r16214 r14876
CVE printf buffer overflow, which sounds exploitable, but is this actually in use?
http://www.cvedetails.com/version-list/452/26468/1/Mozilla-Netscape-Portable-Runtime.html
http://www.cvedetails.com/vulnerability-list/vendor_id-452/product_id-26468/version_id-200885/Mozilla-Netscape-Portable-Runtime-4.11.html
http://www.cvedetails.com/cve/CVE-2016-1951/
Deletable Sounds like it
"When building a version older than 28, you'll additionally need NSPR."
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Build_Documentation
"On POSIX platforms, building a threadsafe shell no longer requires NSPR."
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/31
https://bugzilla.mozilla.org/show_bug.cgi?id=931151

Product name NVIDIA Texture Tools
Usage Doing things with textures?
Files nvtt.dll
Current version 2.0.8 (according to the commit date and no release after 2010 before 2016).
Latest Stable 2.1.0
Source https://github.com/castano/nvidia-texture-tools
https://github.com/castano/nvidia-texture-tools/blob/master/ChangeLog
Commits r15455
CVE Changelog 2.1.0 doesn't contain anything about security

Product name libogg & libvorbis
Usage playing audio
Files ogg_d.dll
ogg.dll
vorbis_d.dll
vorbis.dll
vorbisfile_d.dll
vorbisfile.dll
Current version libogg to v1.3.2 and libvorbis to 1.3.4
Latest Stable libogg to v1.3.2 and libvorbis to 1.3.5
Source https://xiph.org/downloads/
Commits r15419
CVE libvorbis 1.3.5 fixed crashes but no exploits
https://svn.xiph.org/trunk/vorbis/CHANGES
No CVEs

Product name OpenAL32
Usage 3D audio
Files OpenAL32.dll
Current version 1.17.1
Latest Stable 1.18.0
Source http://kcat.strangesoft.net/openal.html
Commits r17701
CVE No vulnerabilities in the changelog. CVEs only about JogAmp using this lib

Product name SDL 2
Usage Keyboard, Mouse, Window events
Files SDL2.dll
Current version 2.0.4
Latest Stable 2.0.5
Source https://www.libsdl.org/download-2.0.php
Commits r17658
CVE No vulnerabilities publicly known
Only SDL1 CVE: https://www.cvedetails.com/vendor/7625/SDL.html

Product name zlib
Usage un/zipping mods, savegames, rejoinstates
Files zlib1d.dll
zlib1.dll
Current version 1.2.8
Latest Stable 1.2.11
Source https://zlib.net/
Commits r17280
CVE 4 out of bound reads which could cause a crash
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
https://www.cvedetails.com/version-list/72/1820/1/GNU-Zlib.html
https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/version_id-214474/GNU-Zlib-1.2.8.html
Last edited 15 months ago by elexis (previous) (diff)

comment:28 Changed 15 months ago by leper

Regarding NSPR that is most likely still required (see all those comments that indicate that only applies to POSIX-like platforms; but I guess someone trying to build SpiderMonkey without it will be able to tell you).

Source of FCollada is libraries/source, since we are somewhat maintaining (as in not touching it unless it breaks) that as upstream closed down the source and the few tickets about merging that with some other slightly different forks of it went nowhere (#562)

About NVTT that is 2.0.8 with lots of patches (again libraries/source), see #4549.

CVE-2017-8798 is in miniupnpc not miniupnpd, see the upstream changelog or if you want more details look at the actual commit.

Currently the only supported VS version is 2013 (see BuildInstructions), however some of those libs might have been built with 2010 and thus require that dll (yes, rebuilding all of them would fix that).

Also you seem to be missing boost (most likely no security issues, but maybe perf improvements). And if we are updating things we might also want to update wxWidgets on the windows autobuild box.

comment:29 Changed 15 months ago by Itms

In 19895:

Upgrade a few bundled Windows libraries, refs #3004.

Upgrade enet to 1.3.13.
Upgrade zlib to 1.2.11.
Upgrade libpng to 1.6.29.
Upgrade libxml2 to 2.9.4.

Reviewed By: Imarok
Differential Revision: https://code.wildfiregames.com/D718

comment:30 Changed 15 months ago by Itms

Milestone: Alpha 22Alpha 23
Owner: set to Itms

I'm not managing to build miniupnpc, so I'm pushing this to A23.

comment:31 Changed 13 months ago by elexis

libjpeg-turbo recommended in Phab:D779, refs #2828
video transcoder and player recommended in #4724

comment:32 Changed 11 months ago by Itms

In 20407:

Update Boost to 1.65.1 and provide static libs (built with XP toolset) for upcoming VS 2015 support.
Tested by Vladislav, refs #3004.

comment:33 Changed 7 months ago by Itms

Milestone: Alpha 23Alpha 24

comment:34 Changed 6 months ago by fabio

Given #4790 was recently closed, here is an update of latest libraries and current status (to be A23) for Windows:

Most are a bit behind and some are possibly security related.

Last edited 6 months ago by fabio (previous) (diff)

comment:35 Changed 6 months ago by fabio

Some security fixes updating to latest versions:

  • curl 7.58 -> 7.59 fixes: CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 + others from 7.45 -> 7.58
  • miniupnpc ​2.0.20180222 -> 2.0.20170509 fixes: "Fix buffer over run in minixml.c", "Fix uninitialized variable access in upnpreplyparse.c"
  • libvorbis 1.3.5 -> 1.3.6 fixes: CVE-2018-5146, CVE-2017-14632, CVE-2017-14633
  • libxml2 2.9.4 -> 2.9.8: many security fixes

Would be nice if someone could update some of those before A23.

comment:36 Changed 6 months ago by Itms

In 21683:

Update libcurl to 7.59.0 on Windows and enable SSL support on Windows and macOS.
Refs #3004, #4362.

Note: See TracTickets for help on using tickets.