[tor-bugs] #23663 [Applications/Tor Browser]: ESR52 codebase is incompatible with anything below Universal C Runtime (CRT) in Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 26 21:31:08 UTC 2017 

#23663: ESR52 codebase is incompatible with anything below Universal C Runtime
(CRT) in Windows
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):

 * status:  needs_information => new


Comment:

 Replying to [comment:5 gk]:
 > Replying to [comment:4 cypherpunks]:
 > > Don't you see that Jacek's patch activated compat shims for mingw?
 They were removed later as useless for UCRT (but needed for <=
 `msvcr120.dll`!).
 >
 > Oh, okay. You are just concerned about https://hg.mozilla.org/mozilla-
 central/rev/5680a55b2ec1?
 Of course, no.
 > I thought about cases in the other patches as well as you posted them in
 the description. But as I said they are guarded by `_MSC_VER` defines
 which are not used by mingw-w64 anyway.
 But they should have been adapted to mingw where it's about CRT bugs.
 > So it seems
 > {{{
 > -if CONFIG['OS_ARCH'] == 'WINNT':
 > -    SOURCES += [
 > -        '../compat/strtod.c'
 > }}}
 > is the thing that is bothering you. Back then this got introduced to fix
 compilation with mingw-w64. But that's not an issue anymore without this
 particular code.
 They, probably, don't use CRT then.
 > So, what exactly is the problem with that removal for our mingw-w64
 builds as they are building fine now?
 Building fine, but working?
 > And could you point to the security problematic that you think is
 obvious with removing those three code lines? (the one you mentioned in
 comment:2 does not seem to be it)
 No, the security problematic is that ESR52 was never tested with anything
 below UCRT and in general:
 > It makes it very expensive for us to fix bugs in already-released
 versions of the libraries because we are no longer actively working in the
 codebases for those versions, so fixes must be individually backported and
 tested. The result is that we usually fix only serious security
 vulnerabilities in old versions of the libraries. Other bugs are generally
 fixed only for the next major version. (M$)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23663#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list