Date: prev next · Thread: first prev next last
2018 Archives by date, by thread · List index 


hi all,

i've been wondering if we build everything we ship on Windows with the
recommended compiler flags to mitigate security issues:

https://docs.microsoft.com/en-us/cpp/security/security-best-practices-for-cpp

there's a tool named BinScope which can check the DLLs and executables:

https://www.microsoft.com/en-us/download/details.aspx?id=44995

on current master, this mainly complained about missing PDB files, which
it requires to do anything, so i've tweaked some externals to generate
all needed PDBs, at least in an --enable-dbgutil build; presumably a lot
will be missing in a release build currently.

there were a handful of real issues where mitigations were not enabled,
patches for which are in gerrit for libreoffice-6-0.

the remaining complaints from BinScope seem minor and not worth fixing:

* jpeg-turbo (which is linked statically into 3 things)
  BinScope complains about missing symbols in the NASM objects,
  no idea what can be done about that, NASM can only generate "Borland"
  debuginfo for Windows .obj files...

* ICU data library
  this doesn't contain any code which makes BinScope generally unhappy

* unowinreg
  forgot what it complained about here

* MSVC runtime DLLs, funnily

* some even more ignorable stuff

the BinScope tool is a command line tool that could conceivably be
integrated into the build as a CustomTarget so that we don't regress in
this area by checking against a whitelist, if anybody wants to volunteer
for that.

the main thing that's still missing is that we don't use "Control Flow
Guard", which is apparently new in MSVC 2015 and which BinScope doesn't
check for.

https://docs.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.