https://bugs.freedesktop.org/show_bug.cgi?id=86835
Bug ID: 86835
Summary: Windows Symbol Server should support https
Product: LibreOffice
Version: unspecified
Hardware: Other
OS: Windows (All)
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: BASIC
Assignee: [email protected]
Reporter: [email protected]
The Windows symbol server set up as requested in bug 50350 is boon to those who
want to debug libreoffice, triage crashes, or do profiling. However the symbol
server poses a security risk to all who use it. Symbols are served up over
insecure http and could be modified in flight by a malicious third party. This
could include adding carefully crafted corruptions (most PDB parsers are *not*
securely written or well tested against malicious inputs) or adding malicious
source indexing commands. Either technique could easily be used to execute
arbitrary code on developer's machines.
Because the symbols served up by libreoffice contain private symbols, including
source file information, adding a malicious source indexing stream is a trivial
operation and most debuggers are configured to execute the commands within
without asking the user.
Here is the bug that originally added symbol server support:
https://www.libreoffice.org/bugzilla/show_bug.cgi?id=50350
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
