lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Aug 2013 16:40:58 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: OUTDATED,
	UNSUPPORTED and VULNERABLE 3rd party components installed with
	Exact Audio Copy


Exact Audio Copy (see <>) V1.0 beta 3,
released 2011-09-11, installs the following OUTDATED, UNSUPPORTED
and VULNERABLE 3rd party components:

1. Microsoft SQL Server Compact 3.5 Service Pack 1:

| X:\>filever.exe /S "%ProgramFiles%\Exact Audio Copy\sqlce*.dll"
|        x:\program files\exact audio copy\sqlce*.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    343,104 06-25-2008 sqlceca35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp     84,544 06-25-2008 sqlcecompact35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    172,608 06-25-2008 sqlceoledb35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    644,160 06-25-2008 sqlceqp35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    348,224 06-25-2008 sqlcese35.dll

   Support end for SQL Server Compact 3.5 Service Pack 1 was on
   2011-06-29, see <>

   Its supported successor, "Microsoft SQL Server Compact 3.5
   Service Pack 2 for Windows Desktop" is available since 2010-05-17,
   see <>

2. From the REDIST.TXT included in the SQL Compact Edition:

| Private deployment of just the native stack and explicit loading
| of SQL Server Compact Assembly via Assembly.LoadFrom(), .local
| file, or the use of DLL/COM redirection strategies are not
| supported and may result in serviceability issues.
| For more information see
| and

3. MSVC++ 2005 runtime libraries 8.0.50727.4053:

| X:\>filever.exe /S "%ProgramFiles%\Exact Audio Copy\Microsoft.VC80.CRT"
|        x:\program files\exact audio copy\microsoft.vc80.crt\*.*
| --a--    -   -   -               -   -        455 12-07-2009 microsoft.vc80.crt.manifest
| --a-- W32i   DLL ENU  8.0.50727.4053 shp    632,656 07-12-2009 msvcr80.dll

   The current version of the MSVCRT++ 2005 runtime is available
   since 2011-04-11, see <>
   alias <>

   JFTR: See <>

   When installed via the MSVCRT++ redistributable package,
   Windows Update but keeps this component up-to-date!

Stefan Kanthak


2013-08-06    informed developer

2013-08-06    developer replies:

              a. "EAC was released two months after the release of
                 the service pack"

              2011-09-11 is two months later than 2010-05-17?

              b. "EAC is written in Modula II and needs no MSVCRT++"

              The satellites used by EAC but need it!

              c. "EAC uses SQL Compact DLLs from Microsoft, which
                 request the exact library version in their manifest
                 (Visual Studio 8 enforces this). Since I use the 
                 latest SQL Compact Installation I had to include the
                 corresponding MSVCRT++ DLLs"

              - the manifests of the sqlce*35.dlls refer to version
              - Visual Studio does not enforce anything in a manifest
              - see <>!
              - the latest SQL Compact Edition is NOT used, see above
              - the "corresponding DLLs" version 8.0.50608.0 are NOT

              d. "what does 'application local' mean?"

              Obviously, the developer has no clue how manifests and
              "side-by-side" installations work and didnt notice the
              contents of REDIST.TXT

2013-08-07    replied with all the details
2013-08-07    developer replies: "write your own EAC"

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists