Re: Building LO 6.1.4.2 --with-system-jpeg and jpeg-9c fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 22.01.2019 23:56, Dilyan Palauzov wrote:
> Hello Caolán,
> 
> what is the usefulness of a test, that behaves differently with different jpeg libraries, but none of the test-outcomes is clearly wrong?

You could notice that the failing test is called testCVEs. It tests that 
known vulnerabilities are detected and rejected by the library, rather 
than get opened, so it checks that LibreOffice uses library versions 
that are safe with regards of those vulnerabilities.

But some libraries versions may decide later to stop rejecting those 
samples, including for good reasons, e.g. they might mitigate the 
exploit differently, so that the file could get opened then. This is not 
something that we should just accept without noticing. If that happens, 
we need to see it and understand why has it happened (is that an 
unintended regression in that external library, which could make 
LibreOffice vulnerable if overlooked, or is that actually a safe change 
there, which needs to change our tests to cover this library version?). 
This is what Caolán told you ("Someone who wants to use a system 
libjpeg-9 would have to investigate if it succeeds for a good reason or 
if its pure luck, e.g. via uninitialized data"). This is not the same as

> removing it completely.
> ...
> So removing this tests makes life simpler and causes no side effects.


-- 
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
LibreOffice@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/libreoffice
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux