xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Changes between Initial Version and Version 1 of Ticket #544


Ignore:
Timestamp:
03/21/14 11:16:06 (8 years ago)
Author:
Antoine Martin
Comment:

I've bumped by OSX build to libpng-1.6.10 as part of testing for #533 and it seems to work fine, libjpeg can probably be bumped the same way. So OSX isn't too much of a problem.

win32 on the other hand...

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #544 – Description

    initial v1  
    33The problem is that there are many security issues in {{{libpng}}} (and probably also in {{{libjpeg}}}), just look at the [http://www.libpng.org/pub/png/libpng.html libpng home page] which is full of CVE entries... So all in all, it isn't too difficult for a hostile server to use {{{PNG}}} or {{{JPEG}}} to attack the client.
    44
    5 For OSX, it isn't too bad, we can probably bump the {{{libpng}}} version in the moduleset (see #533), but for win32... building (Py)GTK from source is '''very hard''', and updating the {{{DLL}}} in place may not be possible.. Ouch!
     5For OSX, it isn't too bad, we can probably bump the {{{libpng}}} version in the moduleset (see #533), but for win32... building (Py)GTK from source is '''very hard''', and updating the {{{libpng14-14.dll}}} in place may not be possible.. Ouch! One way to solve this is #300 ("setup a proper build infrastructure for win32 builds")
    66
    7 {{{libjpeg}}} seems to very very slow at making release, so maybe we can switch to one of those instead (assuming that those are API compatible):
     7{{{libjpeg}}} seems to very very slow at making new releases, so maybe we can switch to one of those instead (assuming that those are API compatible):
    88* [http://libjpeg-turbo.virtualgl.org/ libjpeg-turbo]
    99* [https://github.com/mozilla/mozjpeg mozjpeg]