xpra icon
Bug tracker and wiki

Opened 5 years ago

Closed 4 years ago

#749 closed defect (wontfix)

restrict the DLLs we load on win32 to avoid those with known vulnerabilities

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: major Milestone: 0.15
Component: client Version: trunk
Keywords: win32 Cc:

Description

For example: flac changelog: Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 (heap read overflow) in 1.3.1

Related to:

  • #544: jpeg and png are out of date..
  • #678: gtk3 build from source
  • #300: gtk2 build from source
  • #299: gstreamer build from source

We should at least exclude flac on win32, it would also be a good idea to inspect all the media libraries we ship and blacklist the ones that are too out of date / vulnerable (hopefully this will leave some we can still use).

Change History (3)

comment:1 Changed 5 years ago by Antoine Martin

Status: newassigned

r8163 avoids flac on win32 with gstreamer 0.10 - should be backported.

We now need to go through the rest of the dlls..

comment:2 Changed 4 years ago by Antoine Martin

Backport in r8501.

comment:3 Changed 4 years ago by Antoine Martin

Resolution: wontfix
Status: assignedclosed

With the number of dlls we cannot replace since we cannot build GTK2 from source, I think it is just too hard to make the win32 safe.
We need either a native client (pure pywin32?) or use GTK3 (#640).

Note: See TracTickets for help on using tickets.