Issue 127197 - Bundling msvcr100.dll is error-prone, insecure and hard to maintain
Summary: Bundling msvcr100.dll is error-prone, insecure and hard to maintain
Status: CLOSED WONT_FIX
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: 4.1.3
Hardware: All Windows, all
: P5 (lowest) Normal (vote)
Target Milestone: 4.1.4
Assignee: Ariel Constenla-Haile
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-28 03:11 UTC by Ariel Constenla-Haile
Modified: 2017-05-20 10:03 UTC (History)
3 users (show)

See Also:
Issue Type: ENHANCEMENT
Latest Confirmation in: ---
Developer Difficulty: ---
arielch: 4.1.4_release_blocker-


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description Ariel Constenla-Haile 2016-10-28 03:11:20 UTC
Due to Issue 120979 we bundle msvcr100.dll to support Java on Windows.

Although this isn't bad, MS advises to use the Visual C++ Redistributable Packages or redistributable merge modules:

"It's also possible to directly install redistributable Visual C++ DLLs in the application local folder, which is the folder that contains your executable application file. For servicing reasons, we do not recommend that you use this installation location."
From https://msdn.microsoft.com/en-us/library/ms235299.aspx

If MS found a vulnerability in msvcr100.dll, we should provide a new release just to fix it by including the new version of the DLL.
Comment 1 Ariel Constenla-Haile 2016-10-28 03:19:03 UTC
Including the Visual C++ 2010 Redistributable Package x86 (we don't need the 64 bit version, because AOO is a 32 bit application and so it cannot load a 64 bit JVM) increases a little the size of the installer:

135M Apache_OpenOffice_4.1.3_Win_x86_install_en-US.exe
143M Apache_OpenOffice_4.1.4_Win_x86_install_en-US.exe

The options are:

1) bundle the updated 32 version of msvcr100.dll

2) bundle the Visual C++ 2010 Redistributable Package

3) do not bundle anything, and advice the users to install the Visual C++ 2010 Redistributable Package by themselves 

You can test with the installers at http://home.apache.org/~arielch/AOO414/
Comment 2 Andrea Pescetti 2016-10-28 07:17:02 UTC
Asking users to install an extra package is not going to work, especially if they were used to getting msvcr100.dll together with OpenOffice in the past. I'm OK with both the other options.
Comment 3 Pedro 2016-10-28 08:43:15 UTC
(In reply to Ariel Constenla-Haile from comment #1)
> Including the Visual C++ 2010 Redistributable Package x86 (we don't need the
> 64 bit version, because AOO is a 32 bit application and so it cannot load a
> 64 bit JVM) increases a little the size of the installer:

Which makes me wonder why the MSVC 2008 x64 is bundled with AOO? It's only 5Mb but if it's useless, what is the point?

What is the bundled MSVC 2008 x86 needed for anyway? Why force a two step installation?
 
> The options are:
> 
> 1) bundle the updated 32 version of msvcr100.dll

Yes, please!
Comment 4 Matthias Seidel 2016-10-28 10:15:06 UTC
(In reply to Ariel Constenla-Haile from comment #1)
> Including the Visual C++ 2010 Redistributable Package x86 (we don't need the
> 64 bit version, because AOO is a 32 bit application and so it cannot load a
> 64 bit JVM) increases a little the size of the installer:
> 
> 135M Apache_OpenOffice_4.1.3_Win_x86_install_en-US.exe
> 143M Apache_OpenOffice_4.1.4_Win_x86_install_en-US.exe
> 
> The options are:
> 
> 1) bundle the updated 32 version of msvcr100.dll
> 
> 2) bundle the Visual C++ 2010 Redistributable Package
> 
> 3) do not bundle anything, and advice the users to install the Visual C++
> 2010 Redistributable Package by themselves 
> 
> You can test with the installers at http://home.apache.org/~arielch/AOO414/

I just tested the (german) installation and I see, that now not only "Microsoft Visual C++ 2010  x86 Redistributable Setup" but also "Microsoft Visual C++ 2008 Redistributable Setup" (both 32 and 64bit) are bundled under "C:\Users\Seidel\Desktop\OpenOffice 4.1.4 (de) Installation Files\redist".
Comment 5 Matthias Seidel 2016-10-28 10:35:11 UTC
Verzeichnis von C:\Users\Seidel\Desktop\OpenOffice 4.1.4 (de) Installation Files\redist

28.10.2016  12:27    <DIR>          .
28.10.2016  12:27    <DIR>          ..
27.10.2016  15:54         8.990.552 vcredist100_x86.exe
27.10.2016  15:54         5.207.896 vcredist_x64.exe
27.10.2016  15:54         4.479.832 vcredist_x86.exe
               4 Datei(en),     18.678.280 Bytes
               2 Verzeichnis(se), 12.006.752.256 Bytes frei
Comment 6 Ariel Constenla-Haile 2016-10-28 15:49:50 UTC
(In reply to Pedro from comment #3)
> (In reply to Ariel Constenla-Haile from comment #1)
> > Including the Visual C++ 2010 Redistributable Package x86 (we don't need the
> > 64 bit version, because AOO is a 32 bit application and so it cannot load a
> > 64 bit JVM) increases a little the size of the installer:
> 
> Which makes me wonder why the MSVC 2008 x64 is bundled with AOO? It's only
> 5Mb but if it's useless, what is the point?
> 
> What is the bundled MSVC 2008 x86 needed for anyway? Why force a two step
> installation?

The 2008 version is needed because this is the runtime used to build OpenOffice on Windows, we use Visual Studio 2008. We need both 32 and 64 bit versions because we build 64 bit shell extensions.

The 2010 version is only needed because of the bug in Oracle Java, they don't include the runtime for the JVM library. Yes, this is Oracle's bug, but we depend on Java for quite basic things like the Help.

> > 1) bundle the updated 32 version of msvcr100.dll
> 
> Yes, please!

Note the downside of bundling this library: if MS discovers a vulnerability and releases a new version, we will be forced to provide a new release just because of this.
Comment 7 Matthias Seidel 2016-10-28 16:07:38 UTC
> > (In reply to Ariel Constenla-Haile from comment #1)
...
> The 2010 version is only needed because of the bug in Oracle Java, they
> don't include the runtime for the JVM library. Yes, this is Oracle's bug,
> but we depend on Java for quite basic things like the Help.

As for JAVA 1.8.0_111 "msvcr100.dll" is included in "C:\Program Files\Java\jre1.8.0_111\bin".

But maybe it is needed for older versions...
Comment 8 Ariel Constenla-Haile 2016-10-28 16:27:45 UTC
(In reply to Matthias Seidel from comment #7)
> 
> As for JAVA 1.8.0_111 "msvcr100.dll" is included in "C:\Program
> Files\Java\jre1.8.0_111\bin".
> 
> But maybe it is needed for older versions...

Oracle bundles two copies, one in \bin and another one in \bin\plugin2, but it is not included in the same folder as the JVM library, in \bin\client; that's why OpenOffice cannot load it in AOO 4.1.3, the msvcr100.dll runtime library must be beside the JVM library or somewhere on the path like C:\Windows\*
Comment 9 Ariel Constenla-Haile 2017-02-02 23:25:39 UTC
Everything seems to indicate that we will need to release more often, so a possible vulnerability in msvcr100.dll does not seem a threat.