Update the msvcr100.dll we ship in Tor Browser
It turns out we ship a not-up-to-date msvcr100.dll in Tor Browser (see comment:description:ticket:23390). We should fix that.
We might want to think about updating to msvcp140.dll as Mozilla ships that one with Firefox ESR 52. Not sure whether that's actually worthwhile or not.
Activity
Hrm, generally, you should update CRT manually when you do app-local deployment. Without that your product will not get any security updates to CRT.
There are a lot of reasons why you should upgrade to UCRT as Mozilla, but it should be solved as a mingw-w64 issue. And it is harder than usual https://mingwpy.github.io/ucrt.html
Trac:
Keywords: N/A deleted, tbb-security added
I am guessing that coordinating with me will result in needless round trips as we figure out which dll we actually want to use, where we want to get it, and finally authenticating it between eachother and copying it into place. I think that we should just put the DLL in a new location that doesn't require me to be in the loop.
The attached patch changes the URL to my directory on people.tpo and updates the hash value. Please double-check with different methods if I got the correct file.
To test this you might need to work around #23557 (moved).
Trac:
Status: new to needs_review
Keywords: TorBrowserTeam201709 deleted, TorBrowserTeam201709R added
Replying to gk:
I've downloaded/extracted several
msvcr100.dllfiles (the latest version I found was 10.0.40219.325) and get the following sha256sum:8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll
Anyone getting something else/getting the same?
I downloaded the file from some random websites, and also got the same hash.
However, I also downloaded "Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)" from Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=8328
After installing it, I get version 10.0.40219.1 (instead of 10.0.40219.325), with a different hash: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa *Windows/SysWOW64/msvcr100.dll
So I am wondering where version 10.0.40219.325 is coming from, and if there is some way to get it from Microsoft website.
-
It comes from this security update: https://support.microsoft.com/en-us/help/2565063/ms11-025-description-of-the-security-update-for-visual-c-2010-service
Do you get the new .dll after applying some updates (although it seems weird to me that M$ is distributing an outdated .dll to begin with)?
-
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
After installing this, I now get a
msvcr100.dllwith the same sha256sum: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 Because Microsoft cannot automatically update locally deployed Visual C++ libraries, we caution against local deployment of these libraries. If you decide to use local deployment of redistributable libraries, we recommend that you implement your own method of automatically updating the locally deployed libraries. https://docs.microsoft.com/en-us/cpp/ide/deployment-in-visual-cpp#local-deployment
Something similar - https://bugzilla.mozilla.org/show_bug.cgi?id=866850
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
Supported Operating System Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP