103538 – Use OpenType Sanitiser to sanitize embedded fonts

Bug 103538 - Use OpenType Sanitiser to sanitize embedded fonts

Summary: Use OpenType Sanitiser to sanitize embedded fonts

Status:	RESOLVED WONTFIX

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	graphics stack (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium enhancement
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-27 12:46 UTC by ⁨خالد حسني⁩
Modified:	2022-08-14 20:12 UTC (History)
CC List:	2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ⁨خالد حسني⁩ 2016-10-27 12:46:25 UTC

LibreOffice supports embedded fonts in the documents for sometime now, and we use and pass these fonts to font rendering libraries without any checking for there validity. Fonts can be a security risk and malicious fonts can easily crash the system on several platforms.

Some web browsers (Google Chrome and Mozilla Firefox) use OpenType Sanitiser to sanitize downloadable webfonts to mitigate such risks, and I think LibreOffice should do the same.

https://github.com/khaledhosny/ots

Comment 1 V Stuart Foote 2016-10-28 01:38:18 UTC

Reasonable, +1

As long as we don't adversely affect the style definitions for documents containing the embedded fonts--assume we replace the fonts detected "corrupt" with available local font equivalent.  And I assume provide fallback for a font that has been blocked but has no local instance.  On export back to ODF archive we'd embed from the local font instance (or the fallback).

Comment 2 QA Administrators 2017-10-29 13:04:49 UTC Comment hidden (obsolete)

** Please read this message in its entirety before responding **

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the information from Help - About LibreOffice.

If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice.

Please DO NOT

Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not
appropriate in this case)

If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from http://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to 'inherited from OOo';
4b. If the bug was not present in 3.3 - add 'regression' to keyword

Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-UntouchedBug

Comment 3 ⁨خالد حسني⁩ 2022-08-14 20:12:35 UTC

No security issue about embedded fonts in 5 years, probably not worth it.