Building LO 220.127.116.11 --with-system-jpeg and jpeg-9c fails
mikekaganski at hotmail.com
Wed Jan 23 06:29:37 UTC 2019
On 22.01.2019 23:56, Dilyan Palauzov wrote:
> Hello Caolán,
> what is the usefulness of a test, that behaves differently with different jpeg libraries, but none of the test-outcomes is clearly wrong?
You could notice that the failing test is called testCVEs. It tests that
known vulnerabilities are detected and rejected by the library, rather
than get opened, so it checks that LibreOffice uses library versions
that are safe with regards of those vulnerabilities.
But some libraries versions may decide later to stop rejecting those
samples, including for good reasons, e.g. they might mitigate the
exploit differently, so that the file could get opened then. This is not
something that we should just accept without noticing. If that happens,
we need to see it and understand why has it happened (is that an
unintended regression in that external library, which could make
LibreOffice vulnerable if overlooked, or is that actually a safe change
there, which needs to change our tests to cover this library version?).
This is what Caolán told you ("Someone who wants to use a system
libjpeg-9 would have to investigate if it succeeds for a good reason or
if its pure luck, e.g. via uninitialized data"). This is not the same as
> removing it completely.
> So removing this tests makes life simpler and causes no side effects.
More information about the LibreOffice