Opened 5 years ago

Closed 5 years ago

#15281 closed defect (duplicate)

Gtk libraries dangerously out of date?

Reported by: ioerror Owned by: datallah
Milestone: Component: winpidgin (gtk)
Version: 2.10.6 Keywords: security
Cc:

Description

I installed pidgin 2.10.6 today and downloaded GTK during the install process as mentioned in #15277.

It appears that the libraries in that GTK package are dangerously out of date:

-rw-r--r-- 1 nobody nogroup  535264 2010-02-05 13:03 freetype6.dll
-rw-r--r-- 1 nobody nogroup   25294 2010-02-07 12:30 gdk-pixbuf-query-loaders.exe
-rw-r--r-- 1 nobody nogroup   24264 2009-09-02 13:13 gspawn-win32-helper-console.exe
-rw-r--r-- 1 nobody nogroup   25718 2009-09-02 13:13 gspawn-win32-helper.exe
-rw-r--r-- 1 nobody nogroup   26251 2010-02-07 12:35 gtk-query-immodules-2.0.exe
-rw-r--r-- 1 nobody nogroup  104861 2008-01-24 14:54 intl.dll
-rw-r--r-- 1 nobody nogroup  150664 2009-06-01 02:07 libatk-1.0-0.dll
-rw-r--r-- 1 nobody nogroup  904525 2010-02-20 04:12 libcairo-2.dll
-rw-r--r-- 1 nobody nogroup  143096 2009-01-31 13:42 libexpat-1.dll
-rw-r--r-- 1 nobody nogroup  279059 2010-02-05 12:55 libfontconfig-1.dll
-rw-r--r-- 1 nobody nogroup   53043 2010-02-07 12:37 libgailutil-18.dll
-rw-r--r-- 1 nobody nogroup  252150 2010-02-07 12:30 libgdk_pixbuf-2.0-0.dll
-rw-r--r-- 1 nobody nogroup  827670 2010-02-07 12:31 libgdk-win32-2.0-0.dll
-rw-r--r-- 1 nobody nogroup  482872 2009-09-02 13:14 libgio-2.0-0.dll
-rw-r--r-- 1 nobody nogroup 1100888 2009-09-02 13:13 libglib-2.0-0.dll
-rw-r--r-- 1 nobody nogroup   31692 2009-09-02 13:13 libgmodule-2.0-0.dll
-rw-r--r-- 1 nobody nogroup  314501 2009-09-02 13:13 libgobject-2.0-0.dll
-rw-r--r-- 1 nobody nogroup   40146 2009-09-02 13:13 libgthread-2.0-0.dll
-rw-r--r-- 1 nobody nogroup 4740156 2010-02-07 12:35 libgtk-win32-2.0-0.dll
-rw-r--r-- 1 nobody nogroup  337702 2010-02-07 23:27 libpango-1.0-0.dll
-rw-r--r-- 1 nobody nogroup   95189 2010-02-07 23:27 libpangocairo-1.0-0.dll
-rw-r--r-- 1 nobody nogroup  686030 2010-02-07 23:27 libpangoft2-1.0-0.dll
-rw-r--r-- 1 nobody nogroup  102774 2010-02-07 23:27 libpangowin32-1.0-0.dll
-rw-r--r-- 1 nobody nogroup  219305 2010-01-12 06:05 libpng14-14.dll
-rw-r--r-- 1 nobody nogroup   27101 2010-02-07 23:27 pango-querymodules.exe
-rw-r--r-- 1 nobody nogroup   55808 2004-10-04 17:08 zlib1.dll

The manifest folder shows the following:

-rw-r--r-- 1 nobody nogroup 3347 2009-06-01 02:07 atk_1.26.0-1_win32.mft
-rw-r--r-- 1 nobody nogroup  187 2010-02-20 04:13 cairo_1.8.10-1_win32.mft
-rw-r--r-- 1 nobody nogroup   52 2009-01-31 13:42 expat_2.0.1-1_win32.mft
-rw-r--r-- 1 nobody nogroup   83 2010-02-05 12:56 fontconfig_2.8.0-2_win32.mft
-rw-r--r-- 1 nobody nogroup   55 2010-02-05 13:04 freetype_2.3.11-2_win32.mft
-rw-r--r-- 1 nobody nogroup   67 2008-01-24 15:12 gettext-runtime-0.17-1.mft
-rw-r--r-- 1 nobody nogroup 3659 2009-09-02 13:15 glib_2.20.5-1_win32.mft
-rw-r--r-- 1 nobody nogroup 3636 2010-01-07 00:02 glib_2.22.4-1_win32.mft
-rw-r--r-- 1 nobody nogroup 9293 2010-02-07 12:40 gtk+_2.16.6-2_win32.mft
-rw-r--r-- 1 nobody nogroup   54 2010-01-12 06:05 libpng_1.4.0-1_win32.mft
-rw-r--r-- 1 nobody nogroup  221 2010-02-07 23:28 pango_1.26.2-1_win32.mft

If those dates and versions are correct... It's really time to update the GTK dependencies or Windows users are remotely exploitable.

At the very least these are exploitable/known buggy: FreeType? 2.3.11 - the latest 2.3.x is 2.3.12 - the current stable version is 2.4.10

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1133

expat 2.0.1 - the current stable version is 2.1.0

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876

libpng 1.4.0 - the current stable version is 1.5.12

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2690

zlib 1.2.2 - the current stable is 1.2.7

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849

I didn't look at everything but I'd guess that every single library has a similar story. :(

Change History (2)

comment:1 Changed 5 years ago by abadidea

Was asked if I was seeing the same thing, I did a clean install of the current binary build for Windows and I can confirm that according to the DLL metadata:

nss3.dll / ssl3.dll are 3.12.5.0 which is a few years out of date: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

zlib1.dll is 1.2.2.0 which is extremely out of date: http://zlib.net/ cites 1.2.3 as being in 2005. The embedded copyright is 1995-2004. I really want to believe that this is a build script error inserting the wrong version?? Because if not that is REALLY bad.

libgtk-win32-2.0-0.dll is apparently actually 2.16.6.0 and the embedded copyright is 2005. http://www.gtk.org/download/win32.php says that 2.24 is the current stable.

libpng does not have an embedded version but is named libpng14-14.dll which I take to be 1.4.14, which is... okay what is up with libpng's numbering scheme? There appear to be several concurrent number ranges? The most recent vuln warning for 1.4.x is 1.4.11 so I guess this one is okay.

As ioerror points out, leaving libraries that handle network data to version decay can lead to very high exploitability risk...

comment:2 Changed 5 years ago by QuLogic

  • Resolution set to duplicate
  • Status changed from new to closed

Closed as duplicate of #14571.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!