#749 closed defect (wontfix)
restrict the DLLs we load on win32 to avoid those with known vulnerabilities
Reported by: | Antoine Martin | Owned by: | Antoine Martin |
---|---|---|---|
Priority: | major | Milestone: | 0.15 |
Component: | client | Version: | trunk |
Keywords: | win32 | Cc: |
Description
For example: flac changelog: Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 (heap read overflow) in 1.3.1
Related to:
- #544: jpeg and png are out of date..
- #678: gtk3 build from source
- #300: gtk2 build from source
- #299: gstreamer build from source
We should at least exclude flac on win32, it would also be a good idea to inspect all the media libraries we ship and blacklist the ones that are too out of date / vulnerable (hopefully this will leave some we can still use).
Change History (4)
comment:1 Changed 7 years ago by
Status: | new → assigned |
---|
comment:3 Changed 7 years ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
With the number of dlls we cannot replace since we cannot build GTK2 from source, I think it is just too hard to make the win32 safe.
We need either a native client (pure pywin32?) or use GTK3 (#640).
comment:4 Changed 16 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/749
Note: See
TracTickets for help on using
tickets.
r8163 avoids flac on win32 with gstreamer 0.10 - should be backported.
We now need to go through the rest of the dlls..