Page MenuHomeWildfire Games

Update OSX libraries
ClosedPublic

Authored by elexis on Jun 26 2017, 4:58 PM.

Details

Summary

As reported in #4362, we should update the library versions OSX downloads. As of rP19825 they at least are all downloaded, but some of them still have bugfixes (including security ones) that we should include.
The first iteration of the patch comes from fabio.

Test Plan

Read through the list of changes. Check that every verison changed and not changed is the most recent one.
Compile with OSX. Figure out how to test the functionality of each library provided.

gloox: enter the lobby and join a game
curl: UserReporter sending data can be tested in the mainmenu.
SDL2: Start a game, press some hotkeys. Open the chat dialog with T.
PNG: Start a game and see some icons.
MiniUPNPC: Enable Universal Plug & Play at the router and try to host a game without STUN and try to get someone to join it.
iconv: not sure where that is used
XML2: open the structure tree, scroll through all civs
boost: compile and run the game.
nspr: compile the game (needed for spidermonkey)
wxwidgets: compile the game and start atlas, click through the tabs whether they look weird
icu: compile and run the game

Should read through the changelogs of the affected version changes as well to see if there is something that might notably influence our codeflow.

Diff Detail

Repository
rP 0 A.D. Public Repository
Branch
/ps/trunk
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 2415
Build 4039: Vulcan LintJenkins
Build 4038: Vulcan BuildJenkins
Build 4037: arc lint + arc unit

Event Timeline

elexis created this revision.Jun 26 2017, 4:58 PM
Vulcan added a subscriber: Vulcan.Jun 26 2017, 7:19 PM
Executing section Default...
Executing section Source...
Executing section JS...
Executing section XML GUI...
Executing section Python...
Executing section Perl...

http://jw:8080/job/phabricator_lint/240/ for more details.

leper added a subscriber: leper.

iconv: not sure where that is used

By tinygettext and possibly by icu itself.

Should read through the changelogs of the affected version changes as well to see if there is something that might notably influence our codeflow.

Unlikely apart from the libxml issue linked above. Otherwise people running better supported OSs would have noticed something long ago.

libraries/osx/build-osx-libs.sh
26

At least Arch Linux ships a more recent git snapshot.

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/libxml2&id=b5f1b1a97f4f00e18ad82bfa275fd30e94362c57 and the linked https://bugs.archlinux.org/task/50600 might or might not be relevant.
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/libxml2&id=2cf41bb19103acc973d7043aa48d74a706f70c9b claims to fix some security issues, I guess someone could just look at all CVEs for libxml2 since the 2.9.4 release.

29

3.0.3.1

43

This should be 2.0.20170509 which fixes CVE-2017-8798.

Build is green

Updating workspaces.
Build (release)...
Build (debug)...
Running release tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Running debug tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Checking XML files...

http://jw:8080/job/phabricator/1633/ for more details.

elexis marked 3 inline comments as done.Jun 27 2017, 2:35 PM

Ack. Also cURL was outdated.
Confirmed that all versions are now the most recent stable.
(Notice the current version numbers have all been confirmed to be downloadable by Tobbi some days ago with the zlib commit.)
(Would probably be nicer to group the URLs at the head too with the according version number.)

libraries/osx/build-osx-libs.sh
23
24

This was outdated, "The most recent stable version is 7.54.1, released on 14th of June 2017"
https://curl.haxx.se/

25
26

ack, 2.9.4 is the latest on the website and hosted at the URL in the script:
http://xmlsoft.org/downloads.html
http://xmlsoft.org/news.html

Just updating will be easier than finding a way to apply those to 0AD: https://www.cvedetails.com/version-list/1962/3311/1/Xmlsoft-Libxml2.html

27
28
29

Ack.
Changing the URL, as 3.0.3 isn't hosted at sourceforge anymore.
Adding the same comment ICU_VERSION has.

https://github.com/wxWidgets/wxWidgets/releases/
Lies: https://www.wxwidgets.org/downloads/

32
33
34
36
38
41
42
43
elexis updated this revision to Diff 2714.Jun 27 2017, 2:36 PM
elexis marked 3 inline comments as done.

Update everything to the most recent stable.

Build is green

Updating workspaces.
Build (release)...
Build (debug)...
Running release tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Running debug tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Checking XML files...

http://jw:8080/job/phabricator/1637/ for more details.

Executing section Default...
Executing section Source...
Executing section JS...
Executing section XML GUI...
Executing section Python...
Executing section Perl...

http://jw:8080/job/phabricator_lint/243/ for more details.

Nice catch with curl.

For most of the urls we should try to switch to https, but IMO the urls themselves should stay where they are, since only two require changes when updating.

(Also I do find it entertaining that maintenance of OSX is done by people without OSX again.)

libraries/osx/build-osx-libs.sh
26

Yes, updating to 2.9.4 fixes all vulnerabilities that were found prior to that. It does not fix those 4 (at least judging from your last link and looking at the details) which were found in the development version quite some time after the release of 2.9.4. See https://www.cvedetails.com/vulnerability-list/vendor_id-1962/product_id-3311/version_id-200282/year-2017/opov-1/Xmlsoft-Libxml2-2.9.4.html

Build is green

Updating workspaces.
Build (release)...
Build (debug)...
Running release tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Running debug tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Checking XML files...

http://jw:8080/job/phabricator/1649/ for more details.

Executing section Default...
Executing section Source...
Executing section JS...
Executing section XML GUI...
Executing section Python...
Executing section Perl...

http://jw:8080/job/phabricator_lint/253/ for more details.

elexis updated this revision to Diff 2735.Jun 28 2017, 5:27 PM

Don't foolishly remove the actual build call of wxWidgets (and especially keep the cpp flags from 16375).

Build is green

Updating workspaces.
Build (release)...
Build (debug)...
Running release tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Running debug tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Checking XML files...

http://jw:8080/job/phabricator/1651/ for more details.

Executing section Default...
Executing section Source...
Executing section JS...
Executing section XML GUI...
Executing section Python...
Executing section Perl...

http://jw:8080/job/phabricator_lint/255/ for more details.

leper added inline comments.Jun 29 2017, 9:00 PM
libraries/osx/build-osx-libs.sh
26

Just to state this in a slighly clearer way: 2.9.4 is still vulnerable to 4 overflows, and yes it is the newest upstream release, which is why some distros ship a git snapshot which has those fixed.

elexis added inline comments.Jun 29 2017, 10:43 PM
libraries/osx/build-osx-libs.sh
26

We don't use xmlSnprintfElementContent, xmlSnprintfElementContent, xmlDictComputeFastKey, nor xmlDictAddString, do we?
There are more vulns than on 2.0.4. than those 4.
Also didn't check all the other released versions for vulnerabilities.
The current patch uploaded was tested by Tobbi, don't know if he, wraitii or Itms can test and update.
Maybe we can add patches from developmental snapshops in a separate diff, so that the changes as of now don't have to be rereviewed.

Itms requested changes to this revision.Jun 29 2017, 10:47 PM

LibICU doesn't build:

configure: error: the ICU Layout Engine has been removed

The fix is very simple, remove --enable-layout on line 553.

Apart from that everything seems to work (with the exception of #4653).

This revision now requires changes to proceed.Jun 29 2017, 10:47 PM
elexis updated this revision to Diff 2765.Jun 29 2017, 10:50 PM
elexis edited edge metadata.

Remove --enable-layout

leper added inline comments.Jun 29 2017, 10:57 PM
libraries/osx/build-osx-libs.sh
26

We probably don't, at least not directly, but I haven't checked. Those are exploitable, the others are classified differently, but I do wonder why we update if we don't update to something that actually fixes all issues. Then again I do wonder why the only time anyone bothers to care about OSX is a short time before a release, and even then nobody who actually uses the OS seems to participate.

Executing section Default...
Executing section Source...
Executing section JS...
Executing section XML GUI...
Executing section Python...
Executing section Perl...

http://jw:8080/job/phabricator_lint/270/ for more details.

This revision was automatically updated to reflect the committed changes.

Build is green

Updating workspaces.
Build (release)...
Build (debug)...
Running release tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Running debug tests...
Running cxxtest tests (306 tests)..................................................................................................................................................................................................................................................................................................................OK!
Checking XML files...

http://jw:8080/job/phabricator/1670/ for more details.