Date: prev next · Thread: first prev next last
2016 Archives by date, by thread · List index


On 11.02.2016 07:34, David Tardon wrote:
Hi,

On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:
        Anyhow - I share your concern wrt. the attack surface that all these
old file filters provide for us; I attach a prototype patch that adds an
'EXOTIC' annotation to our filter descriptions. It is missing a UI
Interaction Handler piece (cf. the hole with the notes and so on in
there ;-) - we'll need a new request type I guess.

        My ideal would be to pop up a dialog saying:

        "You're asking LibreOffice to open a very unusual file-type.
         Unless you are certain that this file is indeed a <Lotus
         Word Pro> file it is safest to not open it.

         [ ] - never show this again

                      [ this is an unusual file ] [get me out of here ]"

        Of some kind =) is that something you'd be interested in working on ?
Thanks for the first pass code.  I generally don't find dialouges like
that to be super useful (many users just click right through).
However, in labeling them Exotic we could add a configuration option
to let system administrators disable them all in one go for a secure
site, etc.  I'll look into that more.

This of course makes the assumption that filters for common formats
(like .doc etc.) do not contain vulnerabilities, which is IMHO just
wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
format during the ~8 years I have been working on this code base. And I
think the likelihood to encounter a malformed (or even malicious) MS
Word document is far greater than, e.g., Hangul Word or AppleWorks
document. So the "secure site" aspect seems rather dubious to me.

but that is just a measure of where white-hat "security researchers"
have been looking for bugs; i find that the idea that black hats don't
do their own independent research to find vulnerabilities is wishful
thinking.

serious vulnerabilities are easiest to find in code that is very rarely
used and almost unknown even to most of the developers of the project,
but enabled by default; see Heartbleed for an illustrative example.

what i think actually matters is this: if random users get an email with
a file in FOOBAR format attached to it, does it open in LibreOffice when
they click on it?

and how many documents are actually legitimately mailed around in the
appropriately named "GreatWorks" format?

from that point of view disabling some import filters *does* reduce the
attack surface.

(another approach would be to implement the import filters not in a
glorified portable macro assembler like C++ but in say Java, but i'd be
accused of trolling and being intolerant of other people's freedom to
shoot themselves in the foot if i would propose that, so consider it
more of a theoretical thought experiment.  well at least you and Caolan
have spent many hours running afl-fuzz, which is the best we can do
currently.)



Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.