[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #23663 [Applications/Tor Browser]: ESR52 codebase is incompatible with anything below Universal C Runtime (CRT) in Windows
#23663: ESR52 codebase is incompatible with anything below Universal C Runtime
(CRT) in Windows
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):
* status: needs_information => new
Comment:
Replying to [comment:7 gk]:
> Replying to [comment:6 cypherpunks]:
> > Replying to [comment:5 gk]:
> > > Replying to [comment:4 cypherpunks]:
> > > > Don't you see that Jacek's patch activated compat shims for mingw?
They were removed later as useless for UCRT (but needed for <=
`msvcr120.dll`!).
> > >
> > > Oh, okay. You are just concerned about https://hg.mozilla.org
/mozilla-central/rev/5680a55b2ec1?
> > Of course, no.
> > > I thought about cases in the other patches as well as you posted
them in the description. But as I said they are guarded by `_MSC_VER`
defines which are not used by mingw-w64 anyway.
> > But they should have been adapted to mingw where it's about CRT bugs.
>
> Why? Removing those patches does not change anything with respect to
mingw-w64. Those code parts did not get used for it before code removal
either.
Because you're using CRT, obviously. Patches for MSVC don't change
anything, but for CRT do, e.g. https://hg.mozilla.org/mozilla-
central/rev/398f38361dc2#l10.10
> > > So it seems
> > > {{{
> > > -if CONFIG['OS_ARCH'] == 'WINNT':
> > > - SOURCES += [
> > > - '../compat/strtod.c'
> > > }}}
> > > is the thing that is bothering you. Back then this got introduced to
fix compilation with mingw-w64. But that's not an issue anymore without
this particular code.
> > They, probably, don't use CRT then.
> > > So, what exactly is the problem with that removal for our mingw-w64
builds as they are building fine now?
> > Building fine, but working?
>
> What is not working due to those code changes?
Depends on whether the used implementation is correct.
> > > And could you point to the security problematic that you think is
obvious with removing those three code lines? (the one you mentioned in
comment:2 does not seem to be it)
> > No, the security problematic is that ESR52 was never tested with
anything below UCRT and in general:
>
> It was, we shipped alpha releases before we switched Tor Browser stable
users to ESR 52.
By Mozilla, was meant.
> > > It makes it very expensive for us to fix bugs in already-released
versions of the libraries because we are no longer actively working in the
codebases for those versions, so fixes must be individually backported and
tested. The result is that we usually fix only serious security
vulnerabilities in old versions of the libraries. Other bugs are generally
fixed only for the next major version. (M$)
>
> Where is this quote from?
https://blogs.msdn.microsoft.com/vcblog/2014/06/10/the-great-c-runtime-
crt-refactoring/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23663#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs