Issue 29740: Visual C++ CRT security update from 14 June 2011 (original) (raw)

Created on 2017-03-06 21:25 by markuskramerIgitt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg289135 - (view)	Author: Markus (markuskramerIgitt)	Date: 2017-03-06 21:25
In 14 June 2011 Microsoft released Visual C++ 2008 runtime MFC Security Update https://www.microsoft.com/en-us/download/details.aspx?id=26368 The Security Update also updates the CRT runtime (used by Python 2.7) Without the security update, Python 2.7.13 uses vc90.crt 9.0.30729.4940 With the security update, Python 2.7.13 uses vc90.crt 9.0.30729.6161 (Use e.g. Sysinternals procexp to see) Why does Python not install the vc90.crt of the security update?
msg289183 - (view)	Author: Steve Dower (steve.dower) *	Date: 2017-03-07 20:39
We don't use MFC in Python, so we are not affected.
msg289187 - (view)	Author: Markus (markuskramerIgitt)	Date: 2017-03-07 21:12
I beg pardon to be pedantic. The issue is not MFC, but CRT. The related safety bulletin (https://technet.microsoft.com/library/security/ms11-025) says Your application may be an attack vector if all of the following conditions are true: - Your application makes use of the Microsoft Foundation Class (MFC) Library - Your application allows the loading of dynamic link libraries from untrusted locations, such as WebDAV shares This is clearly **not** the case for Python. So far so good. I am concerned that the security update contains an updated vc90.crt 9.0.30729.6161. If Python find the 6161 update, it will use it. I found no information on the change between the 4940 version (from Python 2.7.13) and the 6161 update (from the security update). But as Python uses the 6161 update (if it is installed) I would like to raise the question if Python should ship it. I am not a security expert, so this issue is based completely on the above observations and a crumb of logic.
msg289199 - (view)	Author: Steve Dower (steve.dower) *	Date: 2017-03-08 05:14
There will be no changes to the CRT in the update. It's been released as a major upgrade package rather than a patch, which is why it contains all the files, but the last version field typically (and in this case definitely) indicates no change to the API or implementation beyond that described in the associated KB article. So thanks for being through and bringing it to our attention, but it's not necessary to change anything here on our side, and it's probably riskier to make any change than to not make it.