Old/Obsolete file format import still needed?

classic Classic list List threaded Threaded
11 messages Options
Bryan Quigley-2 Bryan Quigley-2
Reply | Threaded
Open this post in threaded view
|

Old/Obsolete file format import still needed?

Hi all,

While working on the easyhack[1] to remove export of obsolete formats
I came across a few that I think we might want to drop import support
from as well. I cam across them again recently looking at another
cleanup bug[2].

They are:
Mac Pict (obsolete since Mac OS X)
https://en.wikipedia.org/wiki/PICT

PBM,PGM,PPM
From their website (below) there might be some users who still like
using this file format. But given the likely user I'm guessing they
will all just manually use ppmtojpeg to make it a jpeg before
importing into LibreOffice.
https://en.wikipedia.org/wiki/Netpbm_format
http://netpbm.sourceforge.net/doc/#formats

OS/2 Metafile (.MET)
Known bug - With MET files you can not export them as an image (a
different filetype) using "Save as image".  You can still export a new
image by saving the whole document.

In most cases I would expect a dedicated image program to be able to
do a better job with the above.   I was hoping to get some usage
statistics about these formats, but haven't found any (suggestions
welcome).  There also might be a security benefit by not having to
consider these formats (less import code to harden).

Thoughts?
Bryan

[1] https://bugs.documentfoundation.org/show_bug.cgi?id=92925
[2] https://bugs.documentfoundation.org/show_bug.cgi?id=38844

P.S. Please copy me on replies.
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
jan iversen jan iversen
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

Hi

We discussed this in general at the ESC meeting a while ago, and I believe the general concensus was not to remove filters that works and thereby cause no extra support.

Reason was that there might still be users out there having reasons for using these filters.

However if the filter is broken, lack significant features or otherwise call for support, that makes it a candidate for removal.

I have no opinion on the filters you list, and hope others have more knowledge on the status.

rgds
jan i.
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Michael Meeks-5 Michael Meeks-5
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

In reply to this post by Bryan Quigley-2
Hi Bryan,

On Tue, 2016-02-09 at 01:38 -0500, Bryan Quigley wrote:
> While working on the easyhack[1] to remove export of obsolete formats

        Its prolly a good idea to close that easy-hack ;-)

> There also might be a security benefit by not having to
> consider these formats (less import code to harden).

        As JanI says, cf. the ESC minutes - being the swiss-army-knife of file
formats that loads ~anything you can throw at it is quite important.

> P.S. Please copy me on replies.

        Hopefully the list is configured to do that ;-)

        Anyhow - I share your concern wrt. the attack surface that all these
old file filters provide for us; I attach a prototype patch that adds an
'EXOTIC' annotation to our filter descriptions. It is missing a UI
Interaction Handler piece (cf. the hole with the notes and so on in
there ;-) - we'll need a new request type I guess.

        My ideal would be to pop up a dialog saying:

        "You're asking LibreOffice to open a very unusual file-type.
         Unless you are certain that this file is indeed a <Lotus
         Word Pro> file it is safest to not open it.

         [ ] - never show this again

                      [ this is an unusual file ] [get me out of here ]"

        Of some kind =) is that something you'd be interested in working on ?

        All the best,

                Michael.

--
 [hidden email]  <><, Pseudo Engineer, itinerant idiot

_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice

0001-First-cut-at-annotating-exotic-filters.patch (20K) Download Attachment
Bryan Quigley-2 Bryan Quigley-2
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

>However if the filter is broken, lack significant features or otherwise call for support, that makes it a candidate for removal.
I'll try to find some more in the wild instances of these formats and
determine just how bad the support is.  OS/2 Metafile was the worst in
my previous testing so I'll look there first.

>         As JanI says, cf. the ESC minutes - being the swiss-army-knife of file
> formats that loads ~anything you can throw at it is quite important.

Understood.  Sorry I missed those ESC minutes.

>         Anyhow - I share your concern wrt. the attack surface that all these
> old file filters provide for us; I attach a prototype patch that adds an
> 'EXOTIC' annotation to our filter descriptions. It is missing a UI
> Interaction Handler piece (cf. the hole with the notes and so on in
> there ;-) - we'll need a new request type I guess.
>
>         My ideal would be to pop up a dialog saying:
>
>         "You're asking LibreOffice to open a very unusual file-type.
>          Unless you are certain that this file is indeed a <Lotus
>          Word Pro> file it is safest to not open it.
>
>          [ ] - never show this again
>
>                       [ this is an unusual file ] [get me out of here ]"
>
>         Of some kind =) is that something you'd be interested in working on ?
Thanks for the first pass code.  I generally don't find dialouges like
that to be super useful (many users just click right through).
However, in labeling them Exotic we could add a configuration option
to let system administrators disable them all in one go for a secure
site, etc.  I'll look into that more.

Thanks again both,
Bryan
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Michael Meeks-5 Michael Meeks-5
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?


On Wed, 2016-02-10 at 14:20 -0500, Bryan Quigley wrote:
> Thanks for the first pass code.  I generally don't find dialouges like
> that to be super useful (many users just click right through).

        Heh - true; but at least it reduces the severity of any related
security advisory which is pleasant.

> However, in labeling them Exotic we could add a configuration option
> to let system administrators disable them all in one go for a secure
> site, etc.  I'll look into that more.

        Right - good thought =) would be easy to do that too; can just
filter[sic] them out of the filter list.

        ATB,

                Michael.

--
 [hidden email]  <><, Pseudo Engineer, itinerant idiot

_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
David Tardon David Tardon
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

In reply to this post by Bryan Quigley-2
Hi,

On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:

> >         Anyhow - I share your concern wrt. the attack surface that all these
> > old file filters provide for us; I attach a prototype patch that adds an
> > 'EXOTIC' annotation to our filter descriptions. It is missing a UI
> > Interaction Handler piece (cf. the hole with the notes and so on in
> > there ;-) - we'll need a new request type I guess.
> >
> >         My ideal would be to pop up a dialog saying:
> >
> >         "You're asking LibreOffice to open a very unusual file-type.
> >          Unless you are certain that this file is indeed a <Lotus
> >          Word Pro> file it is safest to not open it.
> >
> >          [ ] - never show this again
> >
> >                       [ this is an unusual file ] [get me out of here ]"
> >
> >         Of some kind =) is that something you'd be interested in working on ?
> Thanks for the first pass code.  I generally don't find dialouges like
> that to be super useful (many users just click right through).
> However, in labeling them Exotic we could add a configuration option
> to let system administrators disable them all in one go for a secure
> site, etc.  I'll look into that more.

This of course makes the assumption that filters for common formats
(like .doc etc.) do not contain vulnerabilities, which is IMHO just
wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
format during the ~8 years I have been working on this code base. And I
think the likelihood to encounter a malformed (or even malicious) MS
Word document is far greater than, e.g., Hangul Word or AppleWorks
document. So the "secure site" aspect seems rather dubious to me.

Not to mention that users/admins in different countries (or even in
different professions) may have different ideas about which formats
should be considered "exotic".

D.
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Tor Lillqvist-2 Tor Lillqvist-2
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?


> we could add a configuration option

We don't need more configuration options.
 
> to let system administrators disable them all in one go for a secure
> site, etc. 

I think you misunderstand what a typical "system administrator" does, for the vast majority of our user base (counting just the part of it that even has hired sysadmins). Hint: They don't build software from sources.

--tml


_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Michael Stahl-2 Michael Stahl-2
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

In reply to this post by David Tardon
On 11.02.2016 07:34, David Tardon wrote:

> Hi,
>
> On Wed, Feb 10, 2016 at 02:20:50PM -0500, Bryan Quigley wrote:
>>>         Anyhow - I share your concern wrt. the attack surface that all these
>>> old file filters provide for us; I attach a prototype patch that adds an
>>> 'EXOTIC' annotation to our filter descriptions. It is missing a UI
>>> Interaction Handler piece (cf. the hole with the notes and so on in
>>> there ;-) - we'll need a new request type I guess.
>>>
>>>         My ideal would be to pop up a dialog saying:
>>>
>>>         "You're asking LibreOffice to open a very unusual file-type.
>>>          Unless you are certain that this file is indeed a <Lotus
>>>          Word Pro> file it is safest to not open it.
>>>
>>>          [ ] - never show this again
>>>
>>>                       [ this is an unusual file ] [get me out of here ]"
>>>
>>>         Of some kind =) is that something you'd be interested in working on ?
>> Thanks for the first pass code.  I generally don't find dialouges like
>> that to be super useful (many users just click right through).
>> However, in labeling them Exotic we could add a configuration option
>> to let system administrators disable them all in one go for a secure
>> site, etc.  I'll look into that more.
>
> This of course makes the assumption that filters for common formats
> (like .doc etc.) do not contain vulnerabilities, which is IMHO just
> wishful thinking. IIRC there was exactly 1 CVE for import of non-MS file
> format during the ~8 years I have been working on this code base. And I
> think the likelihood to encounter a malformed (or even malicious) MS
> Word document is far greater than, e.g., Hangul Word or AppleWorks
> document. So the "secure site" aspect seems rather dubious to me.

but that is just a measure of where white-hat "security researchers"
have been looking for bugs; i find that the idea that black hats don't
do their own independent research to find vulnerabilities is wishful
thinking.

serious vulnerabilities are easiest to find in code that is very rarely
used and almost unknown even to most of the developers of the project,
but enabled by default; see Heartbleed for an illustrative example.

what i think actually matters is this: if random users get an email with
a file in FOOBAR format attached to it, does it open in LibreOffice when
they click on it?

and how many documents are actually legitimately mailed around in the
appropriately named "GreatWorks" format?

from that point of view disabling some import filters *does* reduce the
attack surface.

(another approach would be to implement the import filters not in a
glorified portable macro assembler like C++ but in say Java, but i'd be
accused of trolling and being intolerant of other people's freedom to
shoot themselves in the foot if i would propose that, so consider it
more of a theoretical thought experiment.  well at least you and Caolan
have spent many hours running afl-fuzz, which is the best we can do
currently.)


_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Michael Stahl-2 Michael Stahl-2
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

In reply to this post by Tor Lillqvist-2
On 11.02.2016 07:39, Tor Lillqvist wrote:

>
>     > we could add a configuration option
>
> We don't need more configuration options.
>
>     > to let system administrators disable them all in one go for a secure
>     > site, etc.
>
> I think you misunderstand what a typical "system administrator" does,
> for the vast majority of our user base (counting just the part of it
> that even has hired sysadmins). Hint: They don't build software from
> sources.

i think you misunderstood that this wasn't about "configure" options but
about "officecfg" runtime configuration.


_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Bjoern Michaelsen Bjoern Michaelsen
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

Hi,

On Thu, Feb 11, 2016 at 11:16:40AM +0100, Michael Stahl wrote:
> i think you misunderstood that this wasn't about "configure" options but
> about "officecfg" runtime configuration.

Right. Assuming the later, it seems like a good thing to me: Makes the
enterprisey sysadmins happy without getting in the way of either devs
(./configure) or endusers (more GUI config).

Best,

Bjoern
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice
Chris Sherlock Chris Sherlock
Reply | Threaded
Open this post in threaded view
|

Re: Old/Obsolete file format import still needed?

In reply to this post by Michael Stahl-2

> On 11 Feb 2016, at 9:14 PM, Michael Stahl <[hidden email]> wrote:
>
> but that is just a measure of where white-hat "security researchers"
> have been looking for bugs; i find that the idea that black hats don't
> do their own independent research to find vulnerabilities is wishful
> thinking.

I do wonder what sort of vulnerabilities they find though. Not that in any way do I think we should encourage insecure programming or a review of old code that has a higher risk attack surface (in particular import code), but I do wonder what sort of things they can compromise from within LibreOffice. Of course, my imagination is probably not as good as that of top-notch black hat crackers. :-)

> serious vulnerabilities are easiest to find in code that is very rarely
> used and almost unknown even to most of the developers of the project,
> but enabled by default; see Heartbleed for an illustrative example.

Closer to home, there were a number of security issues that Microsoft picked up due to WMF processing.

>
> what i think actually matters is this: if random users get an email with
> a file in FOOBAR format attached to it, does it open in LibreOffice when
> they click on it?
>
> and how many documents are actually legitimately mailed around in the
> appropriately named "GreatWorks" format?

Isn’t this a problem of the default extensions we associate with via the installer though?

Should it be the case that we make folks open LibreOffice, then manually open the file? That sort of extra step literally stops people from double-clicking on emails - only those who really want to open the file will actually open LibreOffice and then use file -> open to access the file.
 

> from that point of view disabling some import filters *does* reduce the
> attack surface.
>
> (another approach would be to implement the import filters not in a
> glorified portable macro assembler like C++ but in say Java, but i'd be
> accused of trolling and being intolerant of other people's freedom to
> shoot themselves in the foot if i would propose that, so consider it
> more of a theoretical thought experiment.  well at least you and Caolan
> have spent many hours running afl-fuzz, which is the best we can do
> currently.)

Microsoft has handled opening things like .reg files in Outlook by making people implement registry keys to get around it.

I was wondering however, can you currently embed a .MET file into an ODF file natively? If you can, then we presumably allow people to open the ODF file directly, and then during the load the MET file then invokes import code so we have the same issue, only sort of more hidden.

If this is the case, then I’d still like the import code to exist, but have the ability to disable it by default. An option to right click on the image to show it would be a nice touch :-)

Extra work I know, but that’s my 0.02c (which is about 4 cents in AUD).

Chris
_______________________________________________
LibreOffice mailing list
[hidden email]
https://lists.freedesktop.org/mailman/listinfo/libreoffice