xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Opened 7 years ago

Closed 7 years ago

Last modified 16 months ago

#749 closed defect (wontfix)

restrict the DLLs we load on win32 to avoid those with known vulnerabilities

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: major Milestone: 0.15
Component: client Version: trunk
Keywords: win32 Cc:


For example: flac changelog: Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 (heap read overflow) in 1.3.1

Related to:

  • #544: jpeg and png are out of date..
  • #678: gtk3 build from source
  • #300: gtk2 build from source
  • #299: gstreamer build from source

We should at least exclude flac on win32, it would also be a good idea to inspect all the media libraries we ship and blacklist the ones that are too out of date / vulnerable (hopefully this will leave some we can still use).

Change History (4)

comment:1 Changed 7 years ago by Antoine Martin

Status: newassigned

r8163 avoids flac on win32 with gstreamer 0.10 - should be backported.

We now need to go through the rest of the dlls..

comment:2 Changed 7 years ago by Antoine Martin

Backport in r8501.

comment:3 Changed 7 years ago by Antoine Martin

Resolution: wontfix
Status: assignedclosed

With the number of dlls we cannot replace since we cannot build GTK2 from source, I think it is just too hard to make the win32 safe.
We need either a native client (pure pywin32?) or use GTK3 (#640).

comment:4 Changed 16 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/749

Note: See TracTickets for help on using tickets.