As reported in #4362, we should update the library versions OSX downloads. As of rP19825 they at least are all downloaded, but some of them still have bugfixes (including security ones) that we should include.
The first iteration of the patch comes from fabio.
Details
Read through the list of changes. Check that every verison changed and not changed is the most recent one.
Compile with OSX. Figure out how to test the functionality of each library provided.
gloox: enter the lobby and join a game
curl: UserReporter sending data can be tested in the mainmenu.
SDL2: Start a game, press some hotkeys. Open the chat dialog with T.
PNG: Start a game and see some icons.
MiniUPNPC: Enable Universal Plug & Play at the router and try to host a game without STUN and try to get someone to join it.
iconv: not sure where that is used
XML2: open the structure tree, scroll through all civs
boost: compile and run the game.
nspr: compile the game (needed for spidermonkey)
wxwidgets: compile the game and start atlas, click through the tabs whether they look weird
icu: compile and run the game
Should read through the changelogs of the affected version changes as well to see if there is something that might notably influence our codeflow.
Diff Detail
- Repository
- rP 0 A.D. Public Repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Executing section Default... Executing section Source... Executing section JS... Executing section XML GUI... Executing section Python... Executing section Perl...
http://jw:8080/job/phabricator_lint/240/ for more details.
iconv: not sure where that is used
By tinygettext and possibly by icu itself.
Should read through the changelogs of the affected version changes as well to see if there is something that might notably influence our codeflow.
Unlikely apart from the libxml issue linked above. Otherwise people running better supported OSs would have noticed something long ago.
libraries/osx/build-osx-libs.sh | ||
---|---|---|
26 ↗ | (On Diff #2703) | At least Arch Linux ships a more recent git snapshot. https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/libxml2&id=b5f1b1a97f4f00e18ad82bfa275fd30e94362c57 and the linked https://bugs.archlinux.org/task/50600 might or might not be relevant. |
29 ↗ | (On Diff #2703) | 3.0.3.1 |
43 ↗ | (On Diff #2703) | This should be 2.0.20170509 which fixes CVE-2017-8798. |
Build is green
Updating workspaces. Build (release)... Build (debug)... Running release tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Running debug tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Checking XML files...
http://jw:8080/job/phabricator/1633/ for more details.
Ack. Also cURL was outdated.
Confirmed that all versions are now the most recent stable.
(Notice the current version numbers have all been confirmed to be downloadable by Tobbi some days ago with the zlib commit.)
(Would probably be nicer to group the URLs at the head too with the according version number.)
libraries/osx/build-osx-libs.sh | ||
---|---|---|
23 ↗ | (On Diff #2703) | |
24 ↗ | (On Diff #2703) | This was outdated, "The most recent stable version is 7.54.1, released on 14th of June 2017" |
25 ↗ | (On Diff #2703) | |
26 ↗ | (On Diff #2703) | ack, 2.9.4 is the latest on the website and hosted at the URL in the script: Just updating will be easier than finding a way to apply those to 0AD: https://www.cvedetails.com/version-list/1962/3311/1/Xmlsoft-Libxml2.html |
27 ↗ | (On Diff #2703) | |
28 ↗ | (On Diff #2703) | |
29 ↗ | (On Diff #2703) | Ack. https://github.com/wxWidgets/wxWidgets/releases/ |
32 ↗ | (On Diff #2703) | |
33 ↗ | (On Diff #2703) | |
34 ↗ | (On Diff #2703) | |
36 ↗ | (On Diff #2703) | |
38 ↗ | (On Diff #2703) | |
41 ↗ | (On Diff #2703) | |
42 ↗ | (On Diff #2703) | |
43 ↗ | (On Diff #2703) |
Build is green
Updating workspaces. Build (release)... Build (debug)... Running release tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Running debug tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Checking XML files...
http://jw:8080/job/phabricator/1637/ for more details.
Executing section Default... Executing section Source... Executing section JS... Executing section XML GUI... Executing section Python... Executing section Perl...
http://jw:8080/job/phabricator_lint/243/ for more details.
Nice catch with curl.
For most of the urls we should try to switch to https, but IMO the urls themselves should stay where they are, since only two require changes when updating.
(Also I do find it entertaining that maintenance of OSX is done by people without OSX again.)
libraries/osx/build-osx-libs.sh | ||
---|---|---|
26 ↗ | (On Diff #2703) | Yes, updating to 2.9.4 fixes all vulnerabilities that were found prior to that. It does not fix those 4 (at least judging from your last link and looking at the details) which were found in the development version quite some time after the release of 2.9.4. See https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-200282/year-2017/opov-1/Xmlsoft-Libxml2-2.9.4.html |
Result of the first test run by Tobbi:
Remove patch of previous version from rP16155,
because http://trac.wxwidgets.org/changeset/76743 is part of wxWidgets 3.0.3,
see https://github.com/wxWidgets/wxWidgets/commit/1a5b71210349cc45ff88e02ccf989f8fdb45254b
(Confirmed by downloading http://github.com/wxWidgets/wxWidgets/releases/download/v3.0.3.0/wxWidgets-3.0.3.1.tar.bz2
and seeing that trying to apply https://trac.wildfiregames.com/export/16155/ps/trunk/libraries/osx/patches/wxwidgets-webkit-fix.diff
asks to revert the patch)
Changelog:
https://raw.githubusercontent.com/wxWidgets/wxWidgets/v3.0.3/docs/changes.txt
Build is green
Updating workspaces. Build (release)... Build (debug)... Running release tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Running debug tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Checking XML files...
http://jw:8080/job/phabricator/1649/ for more details.
Executing section Default... Executing section Source... Executing section JS... Executing section XML GUI... Executing section Python... Executing section Perl...
http://jw:8080/job/phabricator_lint/253/ for more details.
Don't foolishly remove the actual build call of wxWidgets (and especially keep the cpp flags from 16375).
Build is green
Updating workspaces. Build (release)... Build (debug)... Running release tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Running debug tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Checking XML files...
http://jw:8080/job/phabricator/1651/ for more details.
Executing section Default... Executing section Source... Executing section JS... Executing section XML GUI... Executing section Python... Executing section Perl...
http://jw:8080/job/phabricator_lint/255/ for more details.
libraries/osx/build-osx-libs.sh | ||
---|---|---|
26 ↗ | (On Diff #2703) | Just to state this in a slighly clearer way: 2.9.4 is still vulnerable to 4 overflows, and yes it is the newest upstream release, which is why some distros ship a git snapshot which has those fixed. |
libraries/osx/build-osx-libs.sh | ||
---|---|---|
26 ↗ | (On Diff #2703) | We don't use xmlSnprintfElementContent, xmlSnprintfElementContent, xmlDictComputeFastKey, nor xmlDictAddString, do we? |
LibICU doesn't build:
configure: error: the ICU Layout Engine has been removed
The fix is very simple, remove --enable-layout on line 553.
Apart from that everything seems to work (with the exception of #4653).
libraries/osx/build-osx-libs.sh | ||
---|---|---|
26 ↗ | (On Diff #2703) | We probably don't, at least not directly, but I haven't checked. Those are exploitable, the others are classified differently, but I do wonder why we update if we don't update to something that actually fixes all issues. Then again I do wonder why the only time anyone bothers to care about OSX is a short time before a release, and even then nobody who actually uses the OS seems to participate. |
Executing section Default... Executing section Source... Executing section JS... Executing section XML GUI... Executing section Python... Executing section Perl...
http://jw:8080/job/phabricator_lint/270/ for more details.
Build is green
Updating workspaces. Build (release)... Build (debug)... Running release tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Running debug tests... Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK! Checking XML files...
http://jw:8080/job/phabricator/1670/ for more details.