Opened 2 years ago

Closed 2 years ago

Last modified 14 months ago

#23396 closed defect (fixed)

Update the msvcr100.dll we ship in Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201709R, tbb-backported
Cc: mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It turns out we ship a not-up-to-date msvcr100.dll in Tor Browser (see comment:description:ticket:23390). We should fix that.

We might want to think about updating to msvcp140.dll as Mozilla ships that one with Firefox ESR 52. Not sure whether that's actually worthwhile or not.

Child Tickets

Attachments (1)

0001-Bug-23396-Updating-the-msvcr100.dll-we-ship.patch (975 bytes) - added by gk 2 years ago.

Download all attachments as: .zip

Change History (18)

comment:1 Changed 2 years ago by cypherpunks

Keywords: tbb-security added

Hrm, generally, you should update CRT manually when you do app-local deployment. Without that your product will not get any security updates to CRT.

There are a lot of reasons why you should upgrade to UCRT as Mozilla, but it should be solved as a mingw-w64 issue. And it is harder than usual https://mingwpy.github.io/ucrt.html

comment:2 Changed 2 years ago by gk

Cc: mikeperry added
Status: newneeds_information

Mike: do you want to update that library in your directory on people@tpo which is still used for fetching it? Or should we move away from that directory while we are at it and put the .dll somewhere else?

comment:4 Changed 2 years ago by mikeperry

I am guessing that coordinating with me will result in needless round trips as we figure out which dll we actually want to use, where we want to get it, and finally authenticating it between eachother and copying it into place. I think that we should just put the DLL in a new location that doesn't require me to be in the loop.

comment:5 Changed 2 years ago by gk

I've downloaded/extracted several msvcr100.dll files (the latest version I found was 10.0.40219.325) and get the following sha256sum:

8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll

Anyone getting something else/getting the same?

comment:6 Changed 2 years ago by cypherpunks

Status: needs_informationnew

It is the same on every up-to-date Windows machine in C:\Windows\System32

comment:7 Changed 2 years ago by gk

Keywords: TorBrowserTeam201709R added; TorBrowserTeam201709 removed
Status: newneeds_review

The attached patch changes the URL to my directory on people.tpo and updates the hash value. Please double-check with different methods if I got the correct file.

To test this you might need to work around #23557.

comment:8 in reply to:  5 Changed 2 years ago by boklm

Replying to gk:

I've downloaded/extracted several msvcr100.dll files (the latest version I found was 10.0.40219.325) and get the following sha256sum:

8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll

Anyone getting something else/getting the same?

I downloaded the file from some random websites, and also got the same hash.

However, I also downloaded "Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)" from Microsoft website:
https://www.microsoft.com/en-us/download/details.aspx?id=8328

After installing it, I get version 10.0.40219.1 (instead of 10.0.40219.325), with a different hash:
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa *Windows/SysWOW64/msvcr100.dll

So I am wondering where version 10.0.40219.325 is coming from, and if there is some way to get it from Microsoft website.

comment:9 Changed 2 years ago by gk

It comes from this security update: https://support.microsoft.com/en-us/help/2565063/ms11-025-description-of-the-security-update-for-visual-c-2010-service

Do you get the new .dll after applying some updates (although it seems weird to me that M$ is distributing an outdated .dll to begin with)?

comment:10 Changed 2 years ago by boklm

I will check if I get it after applying updates.

Version 10.0.40219.325 is signed by the same key as version 10.0.40219.1 downloaded from Microsoft website, so it should be good.

The tor-browser-build patch also looks good.

comment:12 in reply to:  11 Changed 2 years ago by boklm

Replying to cypherpunks:

https://www.microsoft.com/en-us/download/details.aspx?id=26999

After installing this, I now get a msvcr100.dll with the same sha256sum: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

comment:13 Changed 2 years ago by gk

Keywords: tbb-backport added
Resolution: fixed
Status: needs_reviewclosed

Thanks. Applied to master with commit 05f2d5bfb41c901d2d2b7543777e7b0d85121456.

comment:14 Changed 2 years ago by cypherpunks

Because Microsoft cannot automatically update locally deployed Visual C++ libraries, we caution against local deployment of these libraries. If you decide to use local deployment of redistributable libraries, we recommend that you implement your own method of automatically updating the locally deployed libraries.

https://docs.microsoft.com/en-us/cpp/ide/deployment-in-visual-cpp#local-deployment

comment:16 Changed 22 months ago by gk

Keywords: tbb-backported added; tbb-backport removed

This got backported to 7.0.10 with commit 50545b66c03d4fc8fb54b48ee6a34287516d43b7 on maint-7.0 in the tor-browser-bundle repo.

comment:17 in reply to:  11 Changed 14 months ago by cypherpunks

Replying to cypherpunks:

https://www.microsoft.com/en-us/download/details.aspx?id=26999

Supported Operating System

Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP 
Note: See TracTickets for help on using tickets.