[tor-bugs] #23663 [Applications/Tor Browser]: ESR52 codebase is incompatible with anything below Universal C Runtime (CRT) in Windows

[Tor Bug Tracker & Wiki]

#23663: ESR52 codebase is incompatible with anything below Universal C Runtime
(CRT) in Windows
--------------------------------------+-----------------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):

 * status:  new => needs_information


Comment:

 Replying to [comment:6 cypherpunks]:
 > Replying to [comment:5 gk]:
 > > Replying to [comment:4 cypherpunks]:
 > > > Don't you see that Jacek's patch activated compat shims for mingw?
 They were removed later as useless for UCRT (but needed for <=
 `msvcr120.dll`!).
 > >
 > > Oh, okay. You are just concerned about https://hg.mozilla.org/mozilla-
 central/rev/5680a55b2ec1?
 > Of course, no.
 > > I thought about cases in the other patches as well as you posted them
 in the description. But as I said they are guarded by `_MSC_VER` defines
 which are not used by mingw-w64 anyway.
 > But they should have been adapted to mingw where it's about CRT bugs.

 Why? Removing those patches does not change anything with respect to
 mingw-w64. Those code parts did not get used for it before code removal
 either.

 > > So it seems
 > > {{{
 > > -if CONFIG['OS_ARCH'] == 'WINNT':
 > > -    SOURCES += [
 > > -        '../compat/strtod.c'
 > > }}}
 > > is the thing that is bothering you. Back then this got introduced to
 fix compilation with mingw-w64. But that's not an issue anymore without
 this particular code.
 > They, probably, don't use CRT then.
 > > So, what exactly is the problem with that removal for our mingw-w64
 builds as they are building fine now?
 > Building fine, but working?

 What is not working due to those code changes?

 > > And could you point to the security problematic that you think is
 obvious with removing those three code lines? (the one you mentioned in
 comment:2 does not seem to be it)
 > No, the security problematic is that ESR52 was never tested with
 anything below UCRT and in general:

 It was, we shipped alpha releases before we switched Tor Browser stable
 users to ESR 52.

 > > It makes it very expensive for us to fix bugs in already-released
 versions of the libraries because we are no longer actively working in the
 codebases for those versions, so fixes must be individually backported and
 tested. The result is that we usually fix only serious security
 vulnerabilities in old versions of the libraries. Other bugs are generally
 fixed only for the next major version. (M$)

 Where is this quote from?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23663#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online