View Issue Details

IDProjectCategoryView StatusLast Update
0004810The Dark ModDesign/Codingpublic10.04.2019 04:43
ReporterStefanB Assigned Tostgatilov  
PrioritynormalSeveritynormalReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSOS Version
Product VersionTDM 2.06 
Target VersionTDM 2.08Fixed in VersionTDM 2.08 
Summary0004810: Stop shipping/using outdated bundles of dependencies
DescriptionTDM ships a lot of bundled dependencies, while most distributions ship significantly more recent version.

DevIL 1.7.2, Sep. 2008, current: 1.8.0, Jan. 2017
libpng 1.4.5, Dec 2010, current: 1.6.34, Sep. 2017
libjpeg ?, May 2010, current: libjpeg-turbo, 1.5.3, Dec. 2017

Dito for curl, polarssl, zlib, ffmpeg.

All these libraries consume potentially untrusted input.

Security problems:
DevIL: CVE-2009-3994
libpng: several, see http://www.libpng.org/pub/png/libpng.html
libjpeg: several, e.g. CVE-2013-6629
TagsNo tags attached.

Relationships

related to 0004817 resolvedstgatilov Remove boost (and libsvn) from tdm_update 
related to 0004822 resolvedstgatilov Restructure third-party libraries in code SVN 
related to 0004533 closedstgatilov VC++ build cleaning 

Activities

stgatilov

stgatilov

01.06.2018 13:07

developer   ~0010487

While updating the dependencies is definitely a good idea, I wouldn't worry so about vulnerabilities.

We have a game engine (originally written by ID team). And no one ever cared about it safety. It includes so many vulnerabilities on its own, that dependencies are the least culprit if you start thinking about it.
stgatilov

stgatilov

05.06.2018 01:38

developer   ~0010499

One minor note for the dependencies update:
  http://forums.thedarkmod.com/topic/19473-redesign-directory-structure-of-tdm-dependencies/#entry422669
If all dependencies (after boost removal, I suppose) can be easily compiled on every platform, then perhaps include build scripts instead of libraries.

Well, this is an idea to investigate, at least.
StefanB

StefanB

05.06.2018 16:46

reporter   ~0010500

Why not just use what is available on the system?

I have created a build which uses libpng, libjpeg, ffmpeg, zlib, DevIL from the system, and it builds and runs fine.

The whole package (tdm and tdm_update) is just 4MByte. It includes all the security fixes and performance improvements of the last years (e.g. usage of AVX instructions in libjpeg-turbo and ffmpeg).

For Windows and MacOS, shipping the dependencies might be necessary, but I doubt anyone is building tdm on Linux and is unable to install some more dependencies.

For the package and patches, see https://build.opensuse.org/package/show/home:StefanBruens:branches:games/thedarkmod
stgatilov

stgatilov

10.04.2019 04:42

developer   ~0011720

As a part of related issue 0004822, I have updated all dependencies in svn rev 8158 (branch 3rdparty_4822 merged) and svn rev 8161.
Usually I chose the most recent version of library available in conan package manager.

I believe we should continue linking all dependencies in statically on both Windows and Linux. We have non-tech-savvy Linux players, who have no idea how to build stuff: they just download the binary and run it. For this use case to work without issues, it is important to NOT use any system dependency, and instead link everything statically.
I assume that this way also removes any issues due to differences in Linux distributions, although I am not sure here.

Anyway, I'm pretty sure that it is now much easier to switch build to system dependencies if you want. Just search for "ThirdParty" keyword in scons files, there would be two places: include paths and static libs. Adjust them to system stuff, and it should work.
I thought about adding an option to scons build for using system dependencies. If there is demand, please create new issue.

Issue History

Date Modified Username Field Change
31.05.2018 19:18 StefanB New Issue
01.06.2018 13:07 stgatilov Note Added: 0010487
01.06.2018 13:07 stgatilov Assigned To => stgatilov
01.06.2018 13:07 stgatilov Status new => assigned
04.06.2018 03:49 stgatilov Relationship added related to 0004817
05.06.2018 01:38 stgatilov Note Added: 0010499
05.06.2018 16:20 stgatilov Relationship added related to 0004822
05.06.2018 16:46 StefanB Note Added: 0010500
06.06.2018 03:57 stgatilov Relationship added related to 0004533
20.01.2019 07:17 stgatilov Target Version => TDM 2.08
10.04.2019 04:42 stgatilov Note Added: 0011720
10.04.2019 04:43 stgatilov Status assigned => resolved
10.04.2019 04:43 stgatilov Fixed in Version => TDM 2.08
10.04.2019 04:43 stgatilov Resolution open => fixed