restrict the DLLs we load on win32 to avoid those with known vulnerabilities

[totaam]

Issue migrated from trac ticket # 749

component: client | priority: major | resolution: wontfix | keywords: win32

2014-12-01 20:28:37: antoine created the issue

---

For example: flac changelog: Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 (heap read overflow) in 1.3.1

Related to:

• update libpng and libjpeg in binary builds #544: jpeg and png are out of date..
• building all the dependencies from source on win32 #678: gtk3 build from source
• setup a proper build infrastructure for win32 builds #300: gtk2 build from source
• try newer gstreamer win32 builds #299: gstreamer build from source

We should at least exclude flac on win32, it would also be a good idea to inspect all the media libraries we ship and blacklist the ones that are too out of date / vulnerable (hopefully this will leave some we can still use).

[totaam]

2014-12-01 20:46:09: antoine changed status from new to assigned

[totaam]

2014-12-01 20:46:09: antoine commented

---

r8163 avoids flac on win32 with gstreamer 0.10 - should be backported.

We now need to go through the rest of the dlls..

[totaam]

2015-01-18 10:45:17: antoine commented

---

Backport in 8501.

[totaam]

2015-02-02 09:52:53: totaam changed status from assigned to closed

[totaam]

2015-02-02 09:52:53: totaam set resolution to wontfix

[totaam]

2015-02-02 09:52:53: totaam commented

---

With the number of dlls we cannot replace since we cannot build GTK2 from source, I think it is just too hard to make the win32 safe.
We need either a native client (pure pywin32?) or use GTK3 (#640).