Page MenuHome GnuPG

State of libexpat-1 in Gpg4win
Open, NormalPublic


This task informs about libexpat-1 in Gpg4win and what will happen to it.

There where some concerns because libexpat does contain vulnerabilties and this library will be installed if users install Gpg4win.

I am assuming the following: GPA uses the GTK+ framework which needs the library fontconfig. That library again is using libexpat.

Fact is: libexpat is only used internal. That's why it is no security risk.

When users install Gpg4win it is now the case that libexpat will also be installed even if users didn't choose to install GPG. There is another task ( and probably the dependencies will be adapted so libexpat will only be installed with GPA.

Related Objects

Event Timeline

cklassen triaged this task as Normal priority.Mar 14 2022, 12:29 PM
cklassen created this task.
cklassen created this object in space S1 Public.

because libexpat does contain vulnerabilties

At least the version currently in Gpg4win 4.0.0 is believed to be quite old, and is very likely to have one or more of the following weaknesses:

Werner stated:

libexpat is used by libfontconfig which is part of the GTK+ toolset (the
Cairo component in fact). Thus no user data is processed by libexpat
and thus there is no way to to exploit one of the usual expat bugs.

One solution is to remove GPA and pinenty-gtk completely, as the used GTK+ version 2 is end-of-life. @aheinecke already asked on for reasons to keep GPA. (For which we should make a new issue).

Not relevant for Windows, but for the AppImage: Qt's X11 xcb platform plugin depends on libfontconfig and therefore indirectly depends on libexpat. So, at least on Linux X11, pinentry-qt and Kleopatra both load libexpat.