Project

General

Profile

Actions

Task #1121

closed

Windows Symbol Server should support https

Added by - Raal over 7 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Webserver
Target version:
-
Start date:
Due date:
% Done:

0%

Tags:

Description

Ci-infra bugs are now tracked in redmine. Copied from bugzilla bug #86835
https://wiki.documentfoundation.org/Category:Infrastructure
https://redmine.documentfoundation.org/projects/infrastructure
https://redmine.documentfoundation.org/issues/1106
----
The Windows symbol server set up as requested in bug 50350 is boon to those who want to debug libreoffice, triage crashes, or do profiling. However the symbol server poses a security risk to all who use it. Symbols are served up over insecure http and could be modified in flight by a malicious third party. This could include adding carefully crafted corruptions (most PDB parsers are not securely written or well tested against malicious inputs) or adding malicious source indexing commands. Either technique could easily be used to execute arbitrary code on developer's machines.

Because the symbols served up by libreoffice contain private symbols, including source file information, adding a malicious source indexing stream is a trivial operation and most debuggers are configured to execute the commands within without asking the user.

Here is the bug that originally added symbol server support:

https://www.libreoffice.org/bugzilla/show_bug.cgi?id=50350

Actions #1

Updated by Christian Lohmaier over 3 years ago

  • Tracker changed from Feature to Task
  • Category set to Webserver
  • Status changed from New to Closed
  • Assignee set to Christian Lohmaier

https://dev-downloads.libreoffice.org/ (as well as dev-www and others that initially weren't hosted on tdf-infra) have https support for a while now via let's encrypt.

Closing.

Actions

Also available in: Atom PDF