We don't use libpng or libjpeg all that much, most of the picture format parsing is done using Pillow, but there are still codepaths that rely on GTK for parsing (ie: window icons), and GTK uses those libraries. In some recent OSX builds, Pillow had gone missing because of packaging issues (see ticket:500#comment:16), which means that we ended up using the GTK fallback.
The problem is that there are many security issues in libpng (and probably also in libjpeg), just look at the libpng home page which is full of CVE entries... So all in all, it isn't too difficult for a hostile server to use PNG or JPEG to attack the client.
For OSX, it isn't too bad, we can probably bump the libpng version in the moduleset (see #533), but for win32... building (Py)GTK from source is very hard, and updating the libpng14-14.dll in place may not be possible.. Ouch! One way to solve this is #300 ("setup a proper build infrastructure for win32 builds")
libjpeg seems to very very slow at making new releases, so maybe we can switch to one of those instead (assuming that those are API compatible):
I've bumped by OSX build to libpng-1.6.10 as part of testing for #533 and it seems to work fine, libjpeg can probably be bumped the same way. So OSX isn't too much of a problem.
win32 on the other hand...
I've updated my OSX build environment with:
libjpeg-turbo-1.3.1
tiff-4.0.3
libpng-1.6.10
Then:
gdk-pixbuf:
jhbuild buildone -f gdk-pixbuf
Pillow (which does link against libjpeg):
rm -fr ~/gtk/inst/lib/python2.7/site-packages/Pillow* easy_install -U Pillow
And it seems OK now.
For reference, you can find the full list of .dylibs and .sos that use those libraries with command lines like:
cd;clear;reset;find gtk/inst/lib -name "*so" -ls -exec otool -L {} \; | egrep "^gtk/inst|jpeg"
Please update your build environment as per above, preferably by merging the new versions in the moduleset as per #533 - then close this ticket.
For win32, this will have to be done as part of #300 (updated and re-scheduled).
I did merge these into the moduleset however I think by adding these to .jhbuildrc-custom might also work
branches["libjpeg"] = "http://softlayer-dal.dl.sourceforge.net/project/libjpeg-turbo/1.3.1/libjpeg-turbo-1.3.1.tar.gz" branches["libpng"] = "http://softlayer-dal.dl.sourceforge.net/project/libpng/libpng16/1.6.10/libpng-1.6.10.tar.gz" branches["libtiff"] = "http://download.osgeo.org/libtiff/tiff-4.0.3.tar.gz"
It seem to have compiled those versions on my system when building the rest of gtk so that might be an easier way for osx.
The versions in the binary win32 GTK3 builds (see #90) are reasonably up to date, and we should be able to update them more easily, if not build the whole thing from source. The OSX ones are updated as per above, will be tracked in #533.
So I think we can close this.
Note: as per ticket:263#comment:10, we may want to revive this ticket and use these instructions: GTK+ for Windows to build a more up to date GTK2.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/544