bugFreeciv - Bugs: bug #24321, Obsolete or insecure libraries

 
 
Show feedback again

bug #24321: Obsolete or insecure libraries

Submitted by:  Frank <dunnoob>
Submitted on:  Sun Jan 17 23:44:16 2016  
 
Category: generalSeverity: 3 - Normal
Priority: 5 - NormalStatus: Ready For Test
Assigned to: NoneOpen/Closed: Open
Release: Operating System: Microsoft Windows
Planned Release: 2.5.5, 2.6.0-beta1, 3.0.0Contains string changes: None

Add a New Comment (Rich MarkupRich Markup):
   

You are not logged in

Please log in, so followups can be emailed to you.

 

(Jump to the original submission Jump to the original submission)

Sat Sep 3 23:41:47 2016, comment #19:

The OpenSSL folks started a new 1.1.0 branch on 2016-08-25 with a disabled 3DES (affected by "SWEET32" CVE-2016-2183). Updating from 1.0.2 to 1.1.0 could be a major headache:

Frank <dunnoob>
Wed Aug 3 21:24:58 2016, comment #18:

Missing DLL version strings as of 2.5.5 Windows gtk2:

exchndl
freetype6
libbz2-2
libcairo-2
libcairo-gobject-2
libffi-6
libfontconfig-1
libfreetype-6
libgcc_s_dw2-1
libidn-11
libMagickCore-6.Q16-1
libMagickWand-6.Q16-1
libogg-0
libpixman-1-0
libpng14-14
libpng15-15
libsqlite3-0
libssl32
libvorbis-3
libvorbisfile-3
libxml2-2

Everything else is shown with a version (screenshot attached).

(file #28125)

Frank <dunnoob>
Fri Jul 29 01:01:41 2016, comment #17:

Great, openssl 1.0.2h is up to date based on https://www.openssl.org/news/secadv/20160503.txt

For libpng14-14.dll + libpng15-15.dll in the r33261 2.5.4 test version I can't say what it is. If it is 1.6.14 + 1.6.15 both are obsolete (current = 1.6.23, 1.6.19 or older are insecure based on http://www.libpng.org/pub/png/libpng.html ), and presumably you'd only want one libpng.

Frank <dunnoob>
Thu Jul 28 17:18:51 2016, SVN revision 33359:

MSYS1 build environment update. See bug #24321

(Browse SVN revision 33359)

Christian Prochaska <cproc>
Project Administrator
Thu Jul 28 17:18:33 2016, SVN revision 33358:

MSYS1 build environment update. See bug #24321

(Browse SVN revision 33358)

Christian Prochaska <cproc>
Project Administrator
Thu Jul 28 17:16:50 2016, SVN revision 33357:

MSYS1 build environment update. See bug #24321

(Browse SVN revision 33357)

Christian Prochaska <cproc>
Project Administrator
Thu Jul 28 09:20:17 2016, comment #13:

Building seems to be working as far as I could test this quickly. Please commit soon, or I'll commit myself when I need it. I'd like to do one S2_5 test build with this tomorrow, so the 2.5.5 release build is not the first time it's actually tested.

Marko Lindqvist <cazfi>
Project Administrator
Wed Jul 27 15:45:32 2016, comment #12:

Updated build environment: http://download.gna.org/freeciv/packages/windows/gnuwin32/gnuwin32-2016-07-27.7z

SVN 1.8.16 (from https://sourceforge.net/projects/win32svn/files/1.8.16/apache22/) has libeay32.dll/ssleay32.dll version 1.0.2h, which seem to be compatible with the new curl package.

(file #28023, file #28024, file #28025)

Christian Prochaska <cproc>
Project Administrator
Wed Jul 27 12:53:11 2016, comment #11:

I can reproduce the problem. The new curl package has ssleay32.dll, whereas the previous curl package had libssl32.dll. The svn package has its own version of ssleay32.dll, which is replaced by the curl version, which is apparently not compatible. I'll try a newer svn version.

Christian Prochaska <cproc>
Project Administrator
Wed Jul 27 08:43:10 2016, comment #10:

> (missing dll).

Actually some other problem in a dll. The error message was in Finnish, something about 'missing number'.

Marko Lindqvist <cazfi>
Project Administrator
Wed Jul 27 08:35:24 2016, comment #9:

I tried to set up the new msys1 environment. When I tried to build freeciv there, svn -command to get sources did not work (missing dll). This could be something gone awry in this particular installation. I'll retry later.

Marko Lindqvist <cazfi>
Project Administrator
Tue Jul 26 02:49:55 2016, comment #8:

Updated MSYS1 build environment with curl 7.40.0 (http://curl.haxx.se/gknw.net/7.40.0/dist-w32/curl-7.40.0-devel-mingw32.zip): http://download.gna.org/freeciv/packages/windows/gnuwin32/gnuwin32-2016-07-26.7z

(file #28014, file #28015, file #28016)

Christian Prochaska <cproc>
Project Administrator
Sun Jul 10 13:51:47 2016, comment #7:

See also discussion in task #7989.

Jacob Nevins <jtn>
Project Administrator
Mon May 16 15:59:22 2016, comment #6:

As ssl is included only as dependency of full curl, we are not directly affected. It's probably not even possible to trigger freeciv to use libcurl in a way where ssl functionality would be used. Further mitigations include the fact that it acts as client side only - user would need to request malicious metaserver or modpack download URL to be used, and not the server being attackable by outsiders.

Freeciv-3.0 is going to use msys2 based solution, in 2.6 it's only experimental.

Marko Lindqvist <cazfi>
Project Administrator
Mon May 16 15:24:05 2016, comment #5:

Good plan for 2.5.x, the security issue fixed on May 3, 2016, was about ASN (abstract syntax notification) parsing, I don't see how that could affect Freeciv: a malicious multiplayer server certificate trying to crash its clients makes no sense. ;-)

And for 2.6 you already decreed to drop XP, so that takes something published on or after May 3, the newest http://www.paehl.com/open_source/?CURL_7.48.0 as of today would not be good enough.

Frank <dunnoob>
Mon May 16 12:56:01 2016, comment #4:

The SSL libraries come with curl (https://curl.haxx.se/download.html). The latest curl Windows package which suggests compatibility with MinGW and Windows 2000/XP seems to be http://curl.haxx.se/gknw.net/7.40.0/dist-w32/curl-7.40.0-devel-mingw32.zip with OpenSSL version 1.0.0o. I'll try to update curl before the next Freeciv release.

Christian Prochaska <cproc>
Project Administrator
Mon May 16 11:29:46 2016, comment #3:

The libssl32.dll (+ libeay32.dll) in Freeciv 2.5.3 windows (gtk2) apparently belongs to OpenSSL 0.9.8r (8 Feb 2011). The same OpenSSL version was used in 2.5.99 alpha r32098.

The OpenSSL 0.9.8 and 1.0.0 branches were closed in December 2015, cf. https://www.openssl.org/news/secadv/20160503.txt

There were 20 critical security issues in OpenSSL since February 2011, cf. https://www.openssl.org/news/secadv/

The latest and greatest versions (published on May 3, 2016) are OpenSSL 1.0.1o or 1.0.2c. I can't tell what the differences between 1.0.1 and 1.0.2 are, but I'd guess that it doesn't matter for the purposes of Freeciv.

Frank <dunnoob>
Mon Jan 18 13:09:59 2016, comment #2:

No, I'm not sure, I haven't used a compiler for years. But http://www.libpng.org/pub/png/src/libpng-1.6.21-README.txt appears to be the latest and greatest (2016-01-15). No new security issues, 1.6.20 could be also good enough.

For OpenSSL see https://www.openssl.org/news/secadv/20151203.txt
Or in other words, if what you have is fresher than 2015-12-04 it's the best you can do (as of today) for libssl/libeay.

Frank <dunnoob>
Mon Jan 18 06:15:07 2016, comment #1:

Are you sure you got the libpng dll versioning correctly? I would think libpng-14.xx.dll would be releases from libpng14 (or 1.4) and libpng-15.xx.dll from libpng15 (or 1.5). Latest release of the former is 1.4.19 and latter 1.5.26. Latest development branch of libpng is libpng17.

Where are the libssl libraries being used? I assume it's a recursive dependency via curl.

I've been doing some work to get freeciv to build on MSYS2 based environment, so I would not spent too much time in attempts to get dlls in MSYS1 updated.

Marko Lindqvist <cazfi>
Project Administrator
Sun Jan 17 23:44:16 2016, original submission:

Freeciv-2.5.99-alpha+r31157-gtk2 on Windows installs libpng14-14.dll AND libpng15-15.dll. It should either use libpng20-20.dll or later to get rid of some obscure libpng security issues (cf. libpng site), or stick to libpng14-14.dll. The PNG folks managed to break their ICC color profile handling somewhere between 15 and 19 temporarily, 14 is a last known good version, allegedly 20 is again good enough.

Freeciv-2.5.99-alpha+r31157-gtk2 on Windows installs libeay32.dll and libssl32.dll, but these critical libraries do not show their version numbers in Windows explorer (unlike most other DLLs used by FreeCiv.) Default assumption: Whatever openSSL you have, it is critically insecure and fixed in a newer openSSL.

The libvorbis-0.dll used in FreeCiv 2.4.4 up to 2.5.99 has a size of 154 KB. The same (?) library in Wesnoth 1.12.2 has a size of 215 KB. One FreeCiv version claims to be libVorbis I 20090709...
Xiph.Org libVorbis 1.2.3, the Wesnoth 1.12.2 version claims to be libVorbis I 20140122 (Turpak<UTF-8>).Xiph.Org libVorbis 1.3.4. Maybe the Wesnoth libVorbis is "better" or at least "fresher".

The Xiph.org libvorbis license wants to be shown somewhere even in binary distributions (ordinary copyright + disclaimer), but I don't find the place where FreeCiv and Wesnoth try this. FFMpeg and MPlayer (etc.) are distributed with a libvorbis.txt license.

IMHO the libMagick* stuff is gross, it seriouly uses 48 (or 64) bits for about 1000 colours. Windows users can handle PPM P6 for 24 bits RGB (or PAM P7 with transparency in 32 bits) if they have FFMpeg or XnView or NetPBM or ANYTHING better than only MSPaint.

If you can offer PNG (24 bits RGB or 32 bits RGBA) based only on libpngNN-NN.dll + zlib1.dll you might not need the two libMagick*.

Frank <dunnoob>

 

(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):
   
   
Comment:
   

Attached Files
file #28125:  versions.png added by dunnoob (281kB - image/png)
file #28015:  curl-7.40-trunk.patch added by cproc (777B - text/x-diff)
file #28016:  curl-7.40-S2_6.patch added by cproc (768B - text/x-diff)
file #28014:  curl-7.40-S2_5.patch added by cproc (768B - text/x-diff)

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by jtn (Posted a comment)
  • -unavailable- added by cproc (Posted a comment)
  • -unavailable- added by cazfi (Posted a comment)
  • -unavailable- added by dunnoob (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Error: not logged in

     

     

    Follow 11 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Wed Aug 3 21:24:58 2016dunnoobAttached File-=>Added versions.png, #28125
    Thu Jul 28 07:48:34 2016cazfiCategoryNone=>general
      StatusNone=>Ready For Test
      Planned Release=>2.5.5, 2.6.0-beta1, 3.0.0
    Wed Jul 27 15:45:32 2016cprocAttached File-=>Added gnuwin32-2016-07-27-S2_5.patch, #28023
      Attached File-=>Added gnuwin32-2016-07-27-trunk.patch, #28024
      Attached File-=>Added gnuwin32-2016-07-27-S2_6.patch, #28025
    Tue Jul 26 02:49:55 2016cprocAttached File-=>Added curl-7.40-trunk.patch, #28015
      Attached File-=>Added curl-7.40-S2_6.patch, #28016
    Tue Jul 26 02:49:54 2016cprocAttached File-=>Added curl-7.40-S2_5.patch, #28014
    Sun Jul 10 13:51:47 2016jtnOperating SystemNone=>Microsoft Windows
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup