6

Recent Visual Studio 2005 security updates may be causing problems for us.

We build and internally distribute SDKs written in C++. These SDKs are a collection of header files and static libraries only. After installing the security updates our SDKs now depend on the newer versions of the MSVC CRT DLLs. These SDKs are used downstream in projects which produce EXE files.

If one of these EXE files is built with a mix of SDKs (some from before the security updates, some from after), then the EXE file produced makes reference to two sets of MSVC runtime DLLs. E.g:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <dependency>
        <dependentAssembly>
            <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b">
            </assemblyIdentity>
        </dependentAssembly>
    </dependency>
    <dependency>
        <dependentAssembly>
            <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b">
            </assemblyIdentity>
        </dependentAssembly>
    </dependency>
</assembly>

Does this mean that at runtime this EXE will be using both versions of the DLL? Does this mean we must distribute both versions of the MSVC Runtime DLLs with this EXE?

Is there a simple way to avoid this problem without forcing all SDKs to be built with the Visual Studio 2005 security patches in place? (This would be undesirable for some of the older and quite stable SDKs that we don't want to rebuild unnecessarily)

Is is possible to simply rewrite the manifest file on either the SDKs or the final EXE file so that only one version of the MSVC CRT DLLs are mentioned?

My understanding is that the relevant updates are as follows:

Security update for Microsoft Visual Studio 2005 Service Pack 1: KB971090

http://go.microsoft.com/fwlink/?LinkId=155934

Security update for Microsoft Visual Studio 2008 Service Pack 1: KB971092

http://go.microsoft.com/fwlink/?LinkID=155933

I have discovered two other questions which are similar:

VC++: KB971090 and selecting Visual C Runtime DLL dependencies

Does the latest Visual Studio 2005 Security Update cause C runtime library issues when hot fixing customer sites

4

2 回答 2

2

1) 是的,这意味着运行时正在使用这两个版本——这是你永远不想发生的事情。它应该只引用单个版本的 DLL(s)

2) 我开发了一种方法来强制版本为 SP1 版本(没有安全更新)。我在这里概述了它

3)您可以完全禁用清单并手动执行它们,但我不建议这样做,因为为调试和发布维护不同的清单很痛苦,而且这是一种容易出错的处理问题的方法。最好使用我在上面(2)中提到的解决方法。

于 2009-08-16T02:37:16.277 回答
2

正如 Ted 所说,在运行时,您的可执行文件将尝试使用这两个版本的 DLL。这可能是因为您尚未完全重新编译整个项目(或者您正在使用已编译为依赖于 .762 运行时的外部库)。

好消息是,如果这两个库都安装在您的客户端系统上,那么并行重定向策略将意味着只加载最新的。到目前为止,您会注意到的更有害的副作用是,当仅安装一个(可能是 .762)时,应用程序将无法启动旧的“应用程序配置不正确,重新安装可能会解决此问题”错误消息。

这是否意味着我们必须使用此 EXE 分发两个版本的 MSVC 运行时 DLL?

对您来说最简单的解决方案可能是只发布最新版本的 Visual c++ 运行时可再发行组件,您可以从以下链接获得它。

http://download.microsoft.com/download/6/B/B/6BB661D6-A8AE-4819-B79F-236472F6070C/vcredist_x86.exe

这可能有点痛苦,因为它要求用户在 EULA 页面上单击“我同意”并需要管理员权限,但普遍认为,如果您可以让用户安装它,这是最好的选择。

于 2009-08-31T22:51:54.607 回答