Date: prev next · Thread: first prev next last
2019 Archives by date, by thread · List index


On 22.01.2019 23:56, Dilyan Palauzov wrote:
Hello Caolán,

what is the usefulness of a test, that behaves differently with different jpeg libraries, but 
none of the test-outcomes is clearly wrong?

You could notice that the failing test is called testCVEs. It tests that 
known vulnerabilities are detected and rejected by the library, rather 
than get opened, so it checks that LibreOffice uses library versions 
that are safe with regards of those vulnerabilities.

But some libraries versions may decide later to stop rejecting those 
samples, including for good reasons, e.g. they might mitigate the 
exploit differently, so that the file could get opened then. This is not 
something that we should just accept without noticing. If that happens, 
we need to see it and understand why has it happened (is that an 
unintended regression in that external library, which could make 
LibreOffice vulnerable if overlooked, or is that actually a safe change 
there, which needs to change our tests to cover this library version?). 
This is what Caolán told you ("Someone who wants to use a system 
libjpeg-9 would have to investigate if it succeeds for a good reason or 
if its pure luck, e.g. via uninitialized data"). This is not the same as

removing it completely.
...
So removing this tests makes life simpler and causes no side effects.


-- 
Best regards,
Mike Kaganski

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.