[Freeciv-Dev] [bug #24321] Obsolete or insecure libraries

Sun, 17 Jan 2016 15:44:40 -0800 

URL:
  <http://gna.org/bugs/?24321>

                 Summary: Obsolete or insecure libraries
                 Project: Freeciv
            Submitted by: dunnoob
            Submitted on: Sun 17 Jan 2016 11:44:16 PM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any
        Operating System: None
         Planned Release: 

    _______________________________________________________

Details:

Freeciv-2.5.99-alpha+r31157-gtk2 on Windows installs libpng14-14.dll AND
libpng15-15.dll.  It should either use libpng20-20.dll or later to get rid of
some obscure libpng security issues (cf. libpng site), or stick to
libpng14-14.dll.  The PNG folks managed to break their ICC color profile
handling somewhere between 15 and 19 temporarily, 14 is a last known good
version, allegedly 20 is again good enough.

Freeciv-2.5.99-alpha+r31157-gtk2 on Windows installs libeay32.dll and
libssl32.dll, but these critical libraries do not show their version numbers
in Windows explorer (unlike most other DLLs used by FreeCiv.)  Default
assumption:  Whatever openSSL you have, it is critically insecure and fixed in
a newer openSSL.

The libvorbis-0.dll used in FreeCiv 2.4.4 up to 2.5.99 has a size of 154 KB. 
The same (?) library in Wesnoth 1.12.2 has a size of 215 KB.  One FreeCiv
version claims to be libVorbis I 20090709...
Xiph.Org libVorbis 1.2.3, the Wesnoth 1.12.2 version claims to be libVorbis I
20140122 (Turpak<UTF-8>).Xiph.Org libVorbis 1.3.4. Maybe the Wesnoth libVorbis
is "better" or at least "fresher".

The Xiph.org libvorbis license wants to be shown somewhere even in binary
distributions (ordinary copyright + disclaimer), but I don't find the place
where FreeCiv and Wesnoth try this.  FFMpeg and MPlayer (etc.) are distributed
with a libvorbis.txt license.

IMHO the libMagick* stuff is gross, it seriouly uses 48 (or 64) bits for about
1000 colours.  Windows users can handle PPM P6 for 24 bits RGB (or PAM P7 with
transparency in 32 bits) if they have FFMpeg or XnView or NetPBM or ANYTHING
better than only MSPaint.

If you can offer PNG (24 bits RGB or 32 bits RGBA) based only on
libpngNN-NN.dll + zlib1.dll you might not need the two libMagick*.





    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?24321>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to