On 22.01.2019 23:56, Dilyan Palauzov wrote:
Hello Caolán,
what is the usefulness of a test, that behaves differently with different jpeg libraries, but
none of the test-outcomes is clearly wrong?
You could notice that the failing test is called testCVEs. It tests that
known vulnerabilities are detected and rejected by the library, rather
than get opened, so it checks that LibreOffice uses library versions
that are safe with regards of those vulnerabilities.
But some libraries versions may decide later to stop rejecting those
samples, including for good reasons, e.g. they might mitigate the
exploit differently, so that the file could get opened then. This is not
something that we should just accept without noticing. If that happens,
we need to see it and understand why has it happened (is that an
unintended regression in that external library, which could make
LibreOffice vulnerable if overlooked, or is that actually a safe change
there, which needs to change our tests to cover this library version?).
This is what Caolán told you ("Someone who wants to use a system
libjpeg-9 would have to investigate if it succeeds for a good reason or
if its pure luck, e.g. via uninitialized data"). This is not the same as
removing it completely.
...
So removing this tests makes life simpler and causes no side effects.
--
Best regards,
Mike Kaganski
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.