86835 – Windows Symbol Server should support https

Bug 86835 - Windows Symbol Server should support https

Summary: Windows Symbol Server should support https

Status:	NEW

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	ci-infra (show other bugs)
Version:	unspecified
Hardware:	Other Windows (All)

Importance:	medium enhancement
Assignee:	Not Assigned
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-11-28 21:28 UTC by Bruce Dawson
Modified:	2014-12-09 01:28 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Bruce Dawson 2014-11-28 21:28:14 UTC

The Windows symbol server set up as requested in bug 50350 is boon to those who want to debug libreoffice, triage crashes, or do profiling. However the symbol server poses a security risk to all who use it. Symbols are served up over insecure http and could be modified in flight by a malicious third party. This could include adding carefully crafted corruptions (most PDB parsers are *not* securely written or well tested against malicious inputs) or adding malicious source indexing commands. Either technique could easily  be used to execute arbitrary code on developer's machines.

Because the symbols served up by libreoffice contain private symbols, including source file information, adding a malicious source indexing stream is a trivial operation and most debuggers are configured to execute the commands within without asking the user.

Here is the bug that originally added symbol server support:

https://www.libreoffice.org/bugzilla/show_bug.cgi?id=50350

Comment 1 Robinson Tryon (qubit) 2014-12-09 01:28:09 UTC

Sounds like a reasonable enhancement request.

Status -> NEW

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.