Note: Most of this was discussed on IRC. On Mon, Mar 31, 2014 at 6:20 PM, Michael DePaulo <mikedep...@gmail.com> wrote: > On Mon, Mar 31, 2014 at 10:09 AM, Mike Gabriel > <mike.gabr...@das-netzwerkteam.de> wrote: >> Hi Michael, >> >> >> On Mo 31 Mär 2014 15:19:07 CEST, Michael DePaulo wrote: >> >>> The latest version of VcXsrv, 1.15.0, contains the vulnerability >>> CVE-2013-6462 in the component libXfont 1.4.6. >>> >>> The vulnerability is fixed in libXfont 1.4.7 and VcXsrv's master >>> branch contains that update/fix.
VcXsrv released version 1.15.0.1 with that update/fix. >>> >>> I just sent the VcXsrv developer "marha" a message through >>> SourceForge.net. I am hoping he will respond soon. I would like to >>> avoid releasing X2Go Client 4.0.2.0 with the vulnerable VcXsrv if at >>> all possible. As I mentioned below, I'll try to compile VcXsrv's >>> master branch if he will not release a new VcXsrv soon. I will also >>> try to compile the master this evening if he does not respond by then. >>> >>> -Mike >> >> are you sure you want to dive into building VcXsrv? We can also wait a >> little more to get that fixed by marha. >> >> Or we could release and provide builds for Win32 a little later. > > Wow. He didn't reply to my sourceforge message or the bug report. But > he did post a new version of VcXsrv with the fix, and some other > updates: > https://sourceforge.net/projects/vcxsrv/files/vcxsrv/1.15.0.1/ > > I will update X2Go-WinBuilder, do a nightly build, and test X2Go Client. > >> On the other hand, it problable might be a benefit to be in charge of your >> own VcXsrv builds. Maybe not now, but maybe later. > > This is on the back of my mind (along with a 64-bit windows build of > x2goclient + nx-libs.) You see, VcXsrv is now compiled with VS 2012, > so the official releases are incompatible with XP. However, as stated > on their site, only the makefiles are incompatible with VS 2010 (XP > compatible), the source code is still compatible. So later on, I'll > look into how much work it would be to compile the latest VcXsrv with > VS 2010 so that XP users can get security fixes (in addition to the > other changes in newer versions.) -Mike#2 marha has still not responded to my message or the bug report. However, after trying lots of things out, I managed to compile VcXsrv 1.14.3 (2013-09-20) with Windows XP support, and with the fixes for CVE-2013-4396 (2013-10-08) & CVE-2013-6462 (2014-01-07). I also determined that VcXsrv 1.14.3 already included the fixes for CVE-2013-1981..2005, CVE-2013-2062..2066 (2013-05-23). Therefore, my bulid contains 0 known vulnerabilities! I am calling my build 1.14.3.1. The build is here: http://code.x2go.org/releases/binary-win32/3rd-party/vcxsrv-modified-by-x2go-project/ And for now, the source code is here: https://sourceforge.net/u/mikedep333/vcxsrv/ci/xp-fixesonly/tree/ I updated X2Go-WinBuilder VM to use my 1.14.3.1 build. The X2Go Client nightly build with 1.14.3.1 is here: http://code.x2go.org/releases/binary-win32/x2goclient/heuler/mingw32-4.4/qt-4.8/x2goclient-4.0.2.0-2014.04.06-setup.exe Here's more information on my decision to create this VcXsrv build: 1. MSVC 2012 can produce XP compatible builds as long as you are using version "Update 1" or later, and you specify the v110_xp platform toolset. This is what I used for my 1.14.3.1 build. 2. VcXsrv 1.14.2.1 is the last version with XP support because it is the last version built with MSVC 2010. VcXsrv 1.14.3 was built with MSVC 2012 and VcXsrv 1.14.4 was built with MSVC 2013. The VcXsrv project's homepage still states that they are built with MSVC 2012, but the commit messages specify otherwise. 3. Although only the VcXsrv build system / makefiles were updated for MSVC 2013 with VcXsrv 1.14.4, the build system is very large. Therefore, I did not try to modify VcXsrv 1.14.4 for MSVC 2012 & v110_xp compatibility. 4. VcXsrv 1.15's source code is incompatible with MSVC 2012 because it contains certain C99 statements. 5. It looks like VcXsrv normally builds using cmd.exe, rather than cygwin's bash shell. VcXsrv includes cygwin bash shell scripts, but they are outdated. gawk had trouble with the .bat files used during the build of xkeyboard-config, so I switched to using cygwin's bash shell for the build and updated those scripts. Building using cygwin's bash shell was successful, it used .sh files instead for the build of xkeyboard-config. -Mike#2 _______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
