Xpra: Ticket #544: update libpng and libjpeg in binary builds

We don't use libpng or libjpeg all that much, most of the picture format parsing is done using Pillow, but there are still codepaths that rely on GTK for parsing (ie: window icons), and GTK uses those libraries. In some recent OSX builds, Pillow had gone missing because of packaging issues (see ticket:500#comment:16), which means that we ended up using the GTK fallback.

The problem is that there are many security issues in libpng (and probably also in libjpeg), just look at the libpng home page which is full of CVE entries... So all in all, it isn't too difficult for a hostile server to use PNG or JPEG to attack the client.

For OSX, it isn't too bad, we can probably bump the libpng version in the moduleset (see #533), but for win32... building (Py)GTK from source is very hard, and updating the libpng14-14.dll in place may not be possible.. Ouch! One way to solve this is #300 ("setup a proper build infrastructure for win32 builds")

libjpeg seems to very very slow at making new releases, so maybe we can switch to one of those instead (assuming that those are API compatible):



Fri, 21 Mar 2014 11:16:06 GMT - Antoine Martin: description changed

I've bumped by OSX build to libpng-1.6.10 as part of testing for #533 and it seems to work fine, libjpeg can probably be bumped the same way. So OSX isn't too much of a problem.

win32 on the other hand...


Thu, 27 Mar 2014 04:46:29 GMT - Antoine Martin:

I've updated my OSX build environment with:

Then:

And it seems OK now.


For reference, you can find the full list of .dylibs and .sos that use those libraries with command lines like:

cd;clear;reset;find gtk/inst/lib -name "*so" -ls -exec otool -L {} \; | egrep "^gtk/inst|jpeg"

Tue, 08 Apr 2014 10:41:38 GMT - Antoine Martin: owner changed

Please update your build environment as per above, preferably by merging the new versions in the moduleset as per #533 - then close this ticket.

For win32, this will have to be done as part of #300 (updated and re-scheduled).


Tue, 15 Apr 2014 19:37:07 GMT - Smo:

I did merge these into the moduleset however I think by adding these to .jhbuildrc-custom might also work

branches["libjpeg"] = "http://softlayer-dal.dl.sourceforge.net/project/libjpeg-turbo/1.3.1/libjpeg-turbo-1.3.1.tar.gz"
branches["libpng"] = "http://softlayer-dal.dl.sourceforge.net/project/libpng/libpng16/1.6.10/libpng-1.6.10.tar.gz"
branches["libtiff"] = "http://download.osgeo.org/libtiff/tiff-4.0.3.tar.gz"

It seem to have compiled those versions on my system when building the rest of gtk so that might be an easier way for osx.


Sat, 17 May 2014 09:03:28 GMT - Antoine Martin: status changed; resolution set

The versions in the binary win32 GTK3 builds (see #90) are reasonably up to date, and we should be able to update them more easily, if not build the whole thing from source. The OSX ones are updated as per above, will be tracked in #533.

So I think we can close this.


Thu, 12 Jun 2014 05:06:00 GMT - Antoine Martin:

Note: as per ticket:263#comment:10, we may want to revive this ticket and use these instructions: GTK+ for Windows to build a more up to date GTK2.


Sat, 23 Jan 2021 04:58:53 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/544