Opened 9 years ago
Last modified 10 months ago
#3004 new task
Update some bundled win32 libs
| Reported by: | Raymond | Owned by: | |
|---|---|---|---|
| Priority: | Should Have | Milestone: | Alpha 27 |
| Component: | Build & Packages | Keywords: | |
| Cc: | Patch: |
Description (last modified by )
Change History (62)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
| Component: | Core engine → Build & Packages |
|---|---|
| Summary: | update some libs → Update some bundled win32 libs |
comment:3 by , 9 years ago
| Description: | modified (diff) |
|---|
comment:5 by , 9 years ago
We currently ship ICU 52, while the last release is 55. (Which includes some language names for eg Gaelic (which is included in release bundles). See http://wildfiregames.com/forum/index.php?showtopic=19826.
comment:8 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:9 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:10 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:13 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:15 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:16 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:18 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:20 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:23 by , 8 years ago
| Description: | modified (diff) |
|---|
comment:26 by , 7 years ago
| Description: | modified (diff) |
|---|---|
| Milestone: | Backlog → Alpha 22 |
comment:27 by , 7 years ago
Notice on linux, we can get DLL version infos from the file using exiftool file.dll.
Here an overview of the currently committed windows DLLs.
TLDR: not convinced that these few publicly known issues can affect us. There are no metasploit modules available, so script kiddies can't do anything and we don't seem to have haters that are serious enough to try to leverage something out of this. In almost every case they would only be able to crash the game after talking people into installing a maliciously crafted broken mod.
Only the NSPR printf issue sounds like it might affect us, but I'm not sure if that library is still in use anymore.
Furthermore some of the library look like they can be deleted.
| Product name | gloox |
| Usage | multiplayer lobby communication |
| Files | gloox-1.0.dll |
| gloox-1.0d.dll | |
| glooxwrapper_dbg.dll | |
| glooxwrapper.dll | |
| Current version | 1.0.20 |
| Latest Stable | 1.0.20 |
| Source | https://camaya.net/gloox/ |
| Commits | r19608 |
| CVE | Couldn't find anything neither in CVE nor elsewhere |
| Product name | SpiderMonkey |
| Usage | multiplayer lobby communication |
| Files | mozjs38-ps-debug.dll |
| mozjs38-ps-release.dll | |
| Current version | 38 |
| Latest Stable | 45 |
| Source | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases |
| Commits | #3708 |
| CVE | Couldn't find a SM product in the CVE db, but there have been some in the past, f.e. http://www.phrack.org/papers/attacking_javascript_engines.html |
| Product name | Debugging Tools for Windows |
| Usage | Windows debugging |
| Files | dbghelp.dll |
| Current version | 6.8.0004.0 (debuggers(dbg).070515-1751) |
| Latest Stable | 6.12 |
| Source | https://msdn.microsoft.com/en-US/library/windows/desktop/ms679294(v=vs.85).aspx |
| Commits | r6060, r1457 |
| CVE | Couldn't find anything neither in CVE nor elsewhere |
| Product name | C standard library for the Visual C++ (MSVC) |
| Usage | Build |
| Files | msvcrt.dll |
| Current version | 6.10.9844.0 |
| Latest Stable | 6.12 |
| Source | https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#MSVCRT.DLL.2C_MSVCP.2A.DLL_and_CRTDLL.DLL |
| Commits | r15531 from 2014-07-14: |
| "Oops, dbghelp.dll still depends on msvcrt.dll, so I'll revert that file for now :( We're not using the latest version, maybe the latest doesn't depend on such an ancient MSVC runtime. " | |
| CVE | Couldn't find a SM product in the CVE db |
| Deletable | Sounds like it |
| Product name | enet |
| Usage | UDP networking multiplayer |
| Files | enetd.dll |
| enet.dll | |
| Current version | 1.3.12 |
| Latest Stable | 1.3.13 |
| Source | http://enet.bespin.org/Downloads.html |
| https://github.com/lsalzman/enet/blob/master/ChangeLog | |
| Commits | r15457 r9577 |
| CVE | Couldn't find anything on CVE nor elsewhere |
| Product name | FCollada |
| Usage | Colla interoperability / 3D file format |
| Files | FColladaD.dll |
| FCollada.dll | |
| Current version | Must be 3.04C (2007) |
| Latest Stable | 3.04C |
| Source | https://www.khronos.org/collada/wiki/FCollada ? |
| Commits | r17694 |
| CVE | Couldn't find anything on CVE nor elsewhere |
| Product name | ICU (International Components for Unicode) |
| Usage | Build |
| Files | icudt56.dll |
| icuin56.dll | |
| icuio56.dll | |
| icule56.dll | |
| iculx56.dll | |
| icutu56.dll | |
| icuuc56.dll | |
| Current version | 56 |
| Latest Stable | 59 |
| Source | http://site.icu-project.org/download |
| Commits | r17659 |
| CVE | Only buffer overflows that allow crashing apparently publicly known |
| https://www.cvedetails.com/vulnerability-list/vendor_id-7624/Icu-Project.html | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-7624/product_id-12882/version_id-200339/Icu-Project-International-Components-For-Unicode-57.1.html | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-7624/product_id-12882/version_id-212612/Icu-Project-International-Components-For-Unicode-58.2.html |
| Product name | lib cURL |
| Usage | http up/downloads, user reporter |
| Files | libcurld.dll |
| libcurl.dll | |
| Current version | 7.45 |
| Latest Stable | 7.54 |
| Source | https://curl.haxx.se/libcurl/ |
| Commits | r17354 |
| CVE | None known to the current version https://www.cvedetails.com/version-search.php?vendor=+Libcurl&product=&version= |
| Product name | libiconv (internationalization conversion) |
| Usage | character set mess |
| Files | libiconv.dll |
| Current version | 1.14 |
| Latest Stable | 1.15 |
| Source | https://www.gnu.org/software/libiconv/ |
| https://github.com/bnoordhuis/libiconv/blob/master/ChangeLog | |
| Commits | r17694 |
| CVE | Could only vulns for software that uses libiconv |
| Product name | libpng |
| Usage | Image files |
| Files | libpng16d.dll |
| libpng16.dll | |
| Current version | 1.6.21.0 |
| Latest Stable | 1.6.29 |
| Source | http://www.libpng.org/pub/png/libpng.html |
| Commits | r17680 |
| CVE | Only 2 and those don't really matter (someone could create a broken mod) |
| http://www.cvedetails.com/version-list/7294/12271/1/Libpng-Libpng.html | |
| http://www.cvedetails.com/vulnerability-list/vendor_id-7294/product_id-12271/version_id-61916/Libpng-Libpng-Beta1.html | |
| http://www.cvedetails.com/vulnerability-list/vendor_id-7294/product_id-12271/version_id-208677/Libpng-Libpng-1.6.26.html |
| Product name | libxml2 |
| Usage | XML files |
| Files | libxml2.dll |
| Current version | 2.9.3 |
| Latest Stable | 2.9.4 |
| Source | http://xmlsoft.org/news.html |
| Commits | r17694 |
| CVE | exploitable if someone offers a malicious mod |
| https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-194802/Xmlsoft-Libxml2-2.9.3.html | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-200282/Xmlsoft-Libxml2-2.9.4.html | |
| Only this one sounds interesting, remote code execution when providing a crafted XML: | |
| https://www.cvedetails.com/cve/CVE-2016-4448/ | |
| "A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the permissions of the user running the application." |
| Product name | miniupnp client |
| Usage | hosting multiplayer games via universal plug & play |
| Files | miniupnpcd.dll |
| miniupnpc.dll | |
| Current version | 1.9.20151008 |
| Latest Stable | 2.0.20170509 |
| Source | http://miniupnp.free.fr/ |
| Commits | r17119 |
| CVE | client is fine, deamon has some issues |
| client: | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-32572/Miniupnp-Project-Miniupnp.html | |
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8798 | |
| deamon (which we don't use, do we?) | |
| http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/version_id-171397/Miniupnp-Project-Miniupnpd-1.9.html | |
| http://www.cvedetails.com/vulnerability-list/vendor_id-12591/product_id-24263/version_id-213986/Miniupnp-Project-Miniupnpd-2.0.html |
| Product name | Microsoft Visual Studio 10 runtime |
| Usage | Visual Studio 10 support |
| Files | msvcp100d.dll |
| msvcp100.dll | |
| msvcr100d.dll | |
| msvcr100.dll | |
| Current version | 10.0.40219.1 |
| Latest Stable | ? |
| Source | https://www.microsoft.com/de-de/download/details.aspx?id=5555 |
| Commits | r13983 Adds vc100 redist C runtimes to support future libs built with vs2010 |
| CVE | only relevant when using a malicious DLL |
| https://www.cvedetails.com/version-list/26/3847/1/Microsoft-Visual-C-.html | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3847/version_id-107129/Microsoft-Visual-C--2010.html | |
| Deletable | Sounds like it, do we need to support VS2010? |
| Product name | Visual C++ Redistributable Packages for Visual Studio 2013 |
| Usage | Visual Studio debugging |
| Files | msvcp120d.dll |
| msvcp120.dll | |
| msvcr120d.dll | |
| msvcr120.dll | |
| Current version | 12.0.21005.1 |
| Latest Stable | ? |
| Source | https://www.microsoft.com/de-de/download/details.aspx?id=40784 |
| Commits | r16021 |
| CVE | No CVEs |
| Visual Studio 2012 had some exploit, but doesn't apply to 2013 apparently: | |
| https://www.cvedetails.com/version-list/26/676/1/Microsoft-Visual-Studio.html |
| Product name | NVIDIA Texture Tools |
| Usage | Doing things with textures? |
| Files | nvtt.dll |
| Current version | 2.0.8 (according to the commit date and no release after 2010 before 2016). |
| Latest Stable | 2.1.0 |
| Source | https://github.com/castano/nvidia-texture-tools |
| https://github.com/castano/nvidia-texture-tools/blob/master/ChangeLog | |
| Commits | r15455 |
| CVE | Changelog 2.1.0 doesn't contain anything about security |
| Product name | libogg & libvorbis |
| Usage | playing audio |
| Files | ogg_d.dll |
| ogg.dll | |
| vorbis_d.dll | |
| vorbis.dll | |
| vorbisfile_d.dll | |
| vorbisfile.dll | |
| Current version | libogg to v1.3.2 and libvorbis to 1.3.4 |
| Latest Stable | libogg to v1.3.2 and libvorbis to 1.3.5 |
| Source | https://xiph.org/downloads/ |
| Commits | r15419 |
| CVE | libvorbis 1.3.5 fixed crashes but no exploits |
| https://svn.xiph.org/trunk/vorbis/CHANGES | |
| No CVEs |
| Product name | OpenAL32 |
| Usage | 3D audio |
| Files | OpenAL32.dll |
| Current version | 1.17.1 |
| Latest Stable | 1.18.0 |
| Source | http://kcat.strangesoft.net/openal.html |
| Commits | r17701 |
| CVE | No vulnerabilities in the changelog. CVEs only about JogAmp using this lib |
| Product name | SDL 2 |
| Usage | Keyboard, Mouse, Window events |
| Files | SDL2.dll |
| Current version | 2.0.4 |
| Latest Stable | 2.0.5 |
| Source | https://www.libsdl.org/download-2.0.php |
| Commits | r17658 |
| CVE | No vulnerabilities publicly known |
| Only SDL1 CVE: https://www.cvedetails.com/vendor/7625/SDL.html |
| Product name | zlib |
| Usage | un/zipping mods, savegames, rejoinstates |
| Files | zlib1d.dll |
| zlib1.dll | |
| Current version | 1.2.8 |
| Latest Stable | 1.2.11 |
| Source | https://zlib.net/ |
| Commits | r17280 |
| CVE | 4 out of bound reads which could cause a crash |
| https://wiki.mozilla.org/images/0/09/Zlib-report.pdf | |
| https://www.cvedetails.com/version-list/72/1820/1/GNU-Zlib.html | |
| https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/version_id-214474/GNU-Zlib-1.2.8.html |
comment:28 by , 7 years ago
Regarding NSPR that is most likely still required (see all those comments that indicate that only applies to POSIX-like platforms; but I guess someone trying to build SpiderMonkey without it will be able to tell you).
Source of FCollada is libraries/source, since we are somewhat maintaining (as in not touching it unless it breaks) that as upstream closed down the source and the few tickets about merging that with some other slightly different forks of it went nowhere (#562)
About NVTT that is 2.0.8 with lots of patches (again libraries/source), see #4549.
CVE-2017-8798 is in miniupnpc not miniupnpd, see the upstream changelog or if you want more details look at the actual commit.
Currently the only supported VS version is 2013 (see BuildInstructions), however some of those libs might have been built with 2010 and thus require that dll (yes, rebuilding all of them would fix that).
Also you seem to be missing boost (most likely no security issues, but maybe perf improvements). And if we are updating things we might also want to update wxWidgets on the windows autobuild box.
comment:30 by , 7 years ago
| Milestone: | Alpha 22 → Alpha 23 |
|---|---|
| Owner: | set to |
I'm not managing to build miniupnpc, so I'm pushing this to A23.
comment:31 by , 7 years ago
libjpeg-turbo recommended in Phab:D779, refs #2828
video transcoder and player recommended in #4724
comment:33 by , 6 years ago
| Milestone: | Alpha 23 → Alpha 24 |
|---|
comment:34 by , 6 years ago
Given #4790 was recently closed, here is an update of latest libraries and current status (to be A23) for Windows:
- boost 1.66.0 - 1.65;
- enet 1.3.13 - OK;
- gloox 1.0.20 - OK;
- iconv: 1.15 - 1.14;
- icu4c 60.2 - 56.1;
- curl 7.59.0 - 7.45.0;
- libpng 1.6.34 - 1.6.29;
- libxml2: 2.9.8 - 2.9.4;
- miniupnpc 2.0.20180222 - 1.9.20151008.
- openal 1.18.2 - 1.17.1;
- libsdl2 2.0.6, 2.0.7. 2.0.8 - 2.0.4;
- libvorbis 1.3.6 - 1.3.5;
- wxWidgets 3.0.4 - ?;
- zlib: 1.2.11 - OK;
- libogg 1.3.3 - 1.3.2;
- nspr 4.19 - ?;
Most are a bit behind and some are possibly security related.
comment:35 by , 6 years ago
Some security fixes updating to latest versions:
- curl 7.58 -> 7.59 fixes: CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122 + others from 7.45 -> 7.58
- miniupnpc 2.0.20180222 -> 2.0.20170509 fixes: "Fix buffer over run in minixml.c", "Fix uninitialized variable access in upnpreplyparse.c"
- libvorbis 1.3.5 -> 1.3.6 fixes: CVE-2018-5146, CVE-2017-14632, CVE-2017-14633
- libxml2 2.9.4 -> 2.9.8: many security fixes
Would be nice if someone could update some of those before A23.
comment:40 by , 3 years ago
| Description: | modified (diff) |
|---|
In r24251:
Update iconv from 1.14 to 1.16 with a .rc file so it can be show by clicking properties on Windows. Add the debug symbols.
comment:47 by , 3 years ago
In 24365:
(The changeset message doesn't reference this ticket)
Update SDL2 on Windows to 2.0.12. Built with the v141_xp toolset and the same dep on the VC140Runtime as the others (by default it uses MSCVRT) EOL to native
comment:50 by , 3 years ago
| Milestone: | Alpha 24 → Alpha 25 |
|---|
Most of the work has been done for A24.
Missing: Enet (1.3.13 ► 1.3.17) -- Still no IPV6 support.
comment:51 by , 3 years ago
| Owner: | changed from to |
|---|
comment:53 by , 3 years ago
| Milestone: | Alpha 25 → Alpha 26 |
|---|
comment:54 by , 2 years ago
| Milestone: | Alpha 26 → Alpha 27 |
|---|
comment:56 by , 15 months ago
| Milestone: | Alpha 27 → Alpha 28 |
|---|
comment:57 by , 15 months ago
| Owner: | removed |
|---|
comment:58 by , 15 months ago
| Type: | enhancement → task |
|---|
comment:61 by , 13 months ago
For everyone's information, it appears that fixes for Windows in gloox are not being included in 1.0.x releases upstream. Thus we shall keep using the development version of gloox on Windows, until 1.1.x releases start to happen.
Note that r27517 was included upstream.
Some of these have separate tickets that I'm going to close and point back here for organization purposes.