#23396 closed defect (fixed)
Update the msvcr100.dll we ship in Tor Browser
Reported by: | gk | Owned by: | tbb-team |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | Applications/Tor Browser | Version: | |
Severity: | Normal | Keywords: | tbb-security, TorBrowserTeam201709R, tbb-backported |
Cc: | mikeperry | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
It turns out we ship a not-up-to-date msvcr100.dll
in Tor Browser (see comment:description:ticket:23390). We should fix that.
We might want to think about updating to msvcp140.dll
as Mozilla ships that one with Firefox ESR 52. Not sure whether that's actually worthwhile or not.
Child Tickets
Attachments (1)
Change History (18)
comment:1 Changed 2 years ago by
Keywords: | tbb-security added |
---|
comment:2 Changed 2 years ago by
Cc: | mikeperry added |
---|---|
Status: | new → needs_information |
Mike: do you want to update that library in your directory on people@tpo which is still used for fetching it? Or should we move away from that directory while we are at it and put the .dll somewhere else?
comment:3 Changed 2 years ago by
comment:4 Changed 2 years ago by
I am guessing that coordinating with me will result in needless round trips as we figure out which dll we actually want to use, where we want to get it, and finally authenticating it between eachother and copying it into place. I think that we should just put the DLL in a new location that doesn't require me to be in the loop.
comment:5 follow-up: 8 Changed 2 years ago by
I've downloaded/extracted several msvcr100.dll
files (the latest version I found was 10.0.40219.325) and get the following sha256sum:
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll
Anyone getting something else/getting the same?
comment:6 Changed 2 years ago by
Status: | needs_information → new |
---|
It is the same on every up-to-date Windows machine in C:\Windows\System32
comment:7 Changed 2 years ago by
Keywords: | TorBrowserTeam201709R added; TorBrowserTeam201709 removed |
---|---|
Status: | new → needs_review |
The attached patch changes the URL to my directory on people.tpo and updates the hash value. Please double-check with different methods if I got the correct file.
To test this you might need to work around #23557.
Changed 2 years ago by
Attachment: | 0001-Bug-23396-Updating-the-msvcr100.dll-we-ship.patch added |
---|
comment:8 Changed 2 years ago by
Replying to gk:
I've downloaded/extracted several
msvcr100.dll
files (the latest version I found was 10.0.40219.325) and get the following sha256sum:
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 msvcr100.dll
Anyone getting something else/getting the same?
I downloaded the file from some random websites, and also got the same hash.
However, I also downloaded "Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)" from Microsoft website:
https://www.microsoft.com/en-us/download/details.aspx?id=8328
After installing it, I get version 10.0.40219.1 (instead of 10.0.40219.325), with a different hash:
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa *Windows/SysWOW64/msvcr100.dll
So I am wondering where version 10.0.40219.325 is coming from, and if there is some way to get it from Microsoft website.
comment:9 Changed 2 years ago by
It comes from this security update: https://support.microsoft.com/en-us/help/2565063/ms11-025-description-of-the-security-update-for-visual-c-2010-service
Do you get the new .dll after applying some updates (although it seems weird to me that M$ is distributing an outdated .dll to begin with)?
comment:10 Changed 2 years ago by
I will check if I get it after applying updates.
Version 10.0.40219.325 is signed by the same key as version 10.0.40219.1 downloaded from Microsoft website, so it should be good.
The tor-browser-build patch also looks good.
comment:11 follow-ups: 12 17 Changed 2 years ago by
comment:12 Changed 2 years ago by
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
After installing this, I now get a msvcr100.dll
with the same sha256sum: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
comment:13 Changed 2 years ago by
Keywords: | tbb-backport added |
---|---|
Resolution: | → fixed |
Status: | needs_review → closed |
Thanks. Applied to master
with commit 05f2d5bfb41c901d2d2b7543777e7b0d85121456.
comment:14 Changed 2 years ago by
Because Microsoft cannot automatically update locally deployed Visual C++ libraries, we caution against local deployment of these libraries. If you decide to use local deployment of redistributable libraries, we recommend that you implement your own method of automatically updating the locally deployed libraries.
https://docs.microsoft.com/en-us/cpp/ide/deployment-in-visual-cpp#local-deployment
comment:15 Changed 2 years ago by
Something similar - https://bugzilla.mozilla.org/show_bug.cgi?id=866850
comment:16 Changed 2 years ago by
Keywords: | tbb-backported added; tbb-backport removed |
---|
This got backported to 7.0.10 with commit 50545b66c03d4fc8fb54b48ee6a34287516d43b7 on maint-7.0
in the tor-browser-bundle
repo.
comment:17 Changed 18 months ago by
Replying to cypherpunks:
https://www.microsoft.com/en-us/download/details.aspx?id=26999
Supported Operating System Windows 7, Windows Server 2003 R2 (32-Bit x86), Windows Server 2003 R2 x64 editions, Windows Server 2008 R2, Windows Vista Service Pack 2, Windows XP
Hrm, generally, you should update CRT manually when you do app-local deployment. Without that your product will not get any security updates to CRT.
There are a lot of reasons why you should upgrade to UCRT as Mozilla, but it should be solved as a mingw-w64 issue. And it is harder than usual https://mingwpy.github.io/ucrt.html