#749 closed defect (wontfix)
restrict the DLLs we load on win32 to avoid those with known vulnerabilities
| Reported by: | Antoine Martin | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | major | Milestone: | 0.15 |
| Component: | client | Version: | trunk |
| Keywords: | win32 | Cc: |
Description
For example: flac changelog: Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 (heap read overflow) in 1.3.1
Related to:
- #544: jpeg and png are out of date..
- #678: gtk3 build from source
- #300: gtk2 build from source
- #299: gstreamer build from source
We should at least exclude flac on win32, it would also be a good idea to inspect all the media libraries we ship and blacklist the ones that are too out of date / vulnerable (hopefully this will leave some we can still use).
Change History (4)
comment:1 Changed 6 years ago by
| Status: | new → assigned |
|---|
comment:3 Changed 6 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
With the number of dlls we cannot replace since we cannot build GTK2 from source, I think it is just too hard to make the win32 safe.
We need either a native client (pure pywin32?) or use GTK3 (#640).
comment:4 Changed 3 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/749
Note: See
TracTickets for help on using
tickets.
copyleft 2010 - 2021
r8163 avoids flac on win32 with gstreamer 0.10 - should be backported.
We now need to go through the rest of the dlls..