Old/Obsolete file format import still needed?

Michael Stahl mstahl at redhat.com
Thu Feb 11 10:14:19 UTC 2016 

On 11.02.2016 07:34, David Tardon wrote:
> Hi,
> 
> On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:
>>>         Anyhow - I share your concern wrt. the attack surface that all these
>>> old file filters provide for us; I attach a prototype patch that adds an
>>> 'EXOTIC' annotation to our filter descriptions. It is missing a UI
>>> Interaction Handler piece (cf. the hole with the notes and so on in
>>> there ;-) - we'll need a new request type I guess.
>>>
>>>         My ideal would be to pop up a dialog saying:
>>>
>>>         "You're asking LibreOffice to open a very unusual file-type.
>>>          Unless you are certain that this file is indeed a <Lotus
>>>          Word Pro> file it is safest to not open it.
>>>
>>>          [ ] - never show this again
>>>
>>>                       [ this is an unusual file ] [get me out of here ]"
>>>
>>>         Of some kind =) is that something you'd be interested in working on ?
>> Thanks for the first pass code.  I generally don't find dialouges like
>> that to be super useful (many users just click right through).
>> However, in labeling them Exotic we could add a configuration option
>> to let system administrators disable them all in one go for a secure
>> site, etc.  I'll look into that more.
> 
> This of course makes the assumption that filters for common formats
> (like .doc etc.) do not contain vulnerabilities, which is IMHO just
> wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
> format during the ~8 years I have been working on this code base. And I
> think the likelihood to encounter a malformed (or even malicious) MS
> Word document is far greater than, e.g., Hangul Word or AppleWorks
> document. So the "secure site" aspect seems rather dubious to me.

but that is just a measure of where white-hat "security researchers"
have been looking for bugs; i find that the idea that black hats don't
do their own independent research to find vulnerabilities is wishful
thinking.

serious vulnerabilities are easiest to find in code that is very rarely
used and almost unknown even to most of the developers of the project,
but enabled by default; see Heartbleed for an illustrative example.

what i think actually matters is this: if random users get an email with
a file in FOOBAR format attached to it, does it open in LibreOffice when
they click on it?

and how many documents are actually legitimately mailed around in the
appropriately named "GreatWorks" format?

from that point of view disabling some import filters *does* reduce the
attack surface.

(another approach would be to implement the import filters not in a
glorified portable macro assembler like C++ but in say Java, but i'd be
accused of trolling and being intolerant of other people's freedom to
shoot themselves in the foot if i would propose that, so consider it
more of a theoretical thought experiment.  well at least you and Caolan
have spent many hours running afl-fuzz, which is the best we can do
currently.)

More information about the LibreOffice mailing list