#23396 closed defect (fixed)
Update the msvcr100.dll we ship in Tor Browser
| Reported by: | gk | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-security, TorBrowserTeam201709R, tbb-backported |
| Cc: | mikeperry | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
It turns out we ship a not-up-to-date msvcr100.dll in Tor Browser (see comment:description:ticket:23390). We should fix that.
We might want to think about updating to msvcp140.dll as Mozilla ships that one with Firefox ESR 52. Not sure whether that's actually worthwhile or not.
Child Tickets
Attachments (1)
Change History (18)
comment:1 Changed 19 months ago by
| Keywords: | tbb-security added |
|---|
comment:2 Changed 19 months ago by
| Cc: | mikeperry added |
|---|---|
| Status: | new → needs_information |
Mike: do you want to update that library in your directory on people@tpo which is still used for fetching it? Or should we move away from that directory while we are at it and put the .dll somewhere else?
comment:3 Changed 19 months ago by
comment:4 Changed 19 months ago by
I am guessing that coordinating with me will result in needless round trips as we figure out which dll we actually want to use, where we want to get it, and finally authenticating it between eachother and copying it into place. I think that we should just put the DLL in a new location that doesn't require me to be in the loop.
comment:5 follow-up: 8 Changed 18 months ago by
I've downloaded/extracted several msvcr100.dll files (the latest version I found was 10.0.40219.325) and get the following sha256sum:
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll
Anyone getting something else/getting the same?
comment:6 Changed 18 months ago by
| Status: | needs_information → new |
|---|
It is the same on every up-to-date Windows machine in C:\Windows\System32
comment:7 Changed 18 months ago by
| Keywords: | TorBrowserTeam201709R added; TorBrowserTeam201709 removed |
|---|---|
| Status: | new → needs_review |
The attached patch changes the URL to my directory on people.tpo and updates the hash value. Please double-check with different methods if I got the correct file.
To test this you might need to work around #23557.
Changed 18 months ago by
| Attachment: | 0001-Bug-23396-Updating-the-msvcr100.dll-we-ship.patch added |
|---|
comment:8 Changed 18 months ago by
Replying to gk:
I've downloaded/extracted several
msvcr100.dllfiles (the latest version I found was 10.0.40219.325) and get the following sha256sum:
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll
Anyone getting something else/getting the same?
I downloaded the file from some random websites, and also got the same hash.
However, I also downloaded "Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)" from Microsoft website:
https://www.microsoft.com/en-us/download/details.aspx?id=8328
After installing it, I get version 10.0.40219.1 (instead of 10.0.40219.325), with a different hash:
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa *Windows/SysWOW64/msvcr100.dll
So I am wondering where version 10.0.40219.325 is coming from, and if there is some way to get it from Microsoft website.
comment:9 Changed 18 months ago by
It comes from this security update: https://support.microsoft.com/en-us/help/2565063/ms11-025-description-of-the-security-update-for-visual-c-2010-service
Do you get the new .dll after applying some updates (although it seems weird to me that M$ is distributing an outdated .dll to begin with)?
comment:10 Changed 18 months ago by
I will check if I get it after applying updates.
Version 10.0.40219.325 is signed by the same key as version 10.0.40219.1 downloaded from Microsoft website, so it should be good.
The tor-browser-build patch also looks good.
comment:11 follow-ups: 12 17 Changed 18 months ago by
comment:12 Changed 18 months ago by
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
After installing this, I now get a msvcr100.dll with the same sha256sum: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
comment:13 Changed 18 months ago by
| Keywords: | tbb-backport added |
|---|---|
| Resolution: | → fixed |
| Status: | needs_review → closed |
Thanks. Applied to master with commit 05f2d5bfb41c901d2d2b7543777e7b0d85121456.
comment:14 Changed 18 months ago by
Because Microsoft cannot automatically update locally deployed Visual C++ libraries, we caution against local deployment of these libraries. If you decide to use local deployment of redistributable libraries, we recommend that you implement your own method of automatically updating the locally deployed libraries.
https://docs.microsoft.com/en-us/cpp/ide/deployment-in-visual-cpp#local-deployment
comment:15 Changed 18 months ago by
Something similar - https://bugzilla.mozilla.org/show_bug.cgi?id=866850
comment:16 Changed 17 months ago by
| Keywords: | tbb-backported added; tbb-backport removed |
|---|
This got backported to 7.0.10 with commit 50545b66c03d4fc8fb54b48ee6a34287516d43b7 on maint-7.0 in the tor-browser-bundle repo.
comment:17 Changed 9 months ago by
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
Supported Operating System Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP
Hrm, generally, you should update CRT manually when you do app-local deployment. Without that your product will not get any security updates to CRT.
There are a lot of reasons why you should upgrade to UCRT as Mozilla, but it should be solved as a mingw-w64 issue. And it is harder than usual https://mingwpy.github.io/ucrt.html