Page MenuHome GnuPG
Create Task
Maniphest T5878

State of libexpat-1 in Gpg4win
Open, NormalPublic
Actions

Description

This task informs about libexpat-1 in Gpg4win and what will happen to it.

There where some concerns because libexpat does contain vulnerabilties and this library will be installed if users install Gpg4win.

I am assuming the following: GPA uses the GTK+ framework which needs the library fontconfig. That library again is using libexpat.

Fact is: libexpat is only used internal. That's why it is no security risk.

When users install Gpg4win it is now the case that libexpat will also be installed even if users didn't choose to install GPG. There is another task (https://dev.gnupg.org/T5877) and probably the dependencies will be adapted so libexpat will only be installed with GPA.

Related Objects

Event Timeline

cklassen triaged this task as Normal priority.Mar 14 2022, 12:29 PM
cklassen created this task.
cklassen created this object in space S1 Public.
bernhard added a subscriber: bernhard.Mar 14 2022, 5:27 PM

because libexpat does contain vulnerabilties

At least the version currently in Gpg4win 4.0.0 is believed to be quite old, and is very likely to have one or more of the following weaknesses: https://www.cvedetails.com/vulnerability-list/vendor_id-16735/Libexpat-Project.html)

Werner stated:

libexpat is used by libfontconfig which is part of the GTK+ toolset (the
Cairo component in fact). Thus no user data is processed by libexpat
and thus there is no way to to exploit one of the usual expat bugs.

bernhard added a subscriber: aheinecke.EditedMar 15 2022, 11:44 AM

One solution is to remove GPA and pinenty-gtk completely, as the used GTK+ version 2 is end-of-life. @aheinecke already asked on https://lists.wald.intevation.org/pipermail/gpg4win-users-en/2022-March/001740.html for reasons to keep GPA. (For which we should make a new issue).

ikloecker added a subscriber: ikloecker.Mar 15 2022, 7:26 PM

Not relevant for Windows, but for the AppImage: Qt's X11 xcb platform plugin depends on libfontconfig and therefore indirectly depends on libexpat. So, at least on Linux X11, pinentry-qt and Kleopatra both load libexpat.

ikloecker added a comment.Jun 5 2023, 11:11 AM

Gpg4win doesn't include libexpat anymore (since it doesn't include gpa and pinentry-gtk anymore).