-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Nov 14, 2017 at 12:37:27PM -0500, Michael Carbone wrote:
> Hi folks,
>
> A colleague at CIRCL recently released ODFCleaner:
>
>
https://github.com/CIRCL/ODFCleaner
>
> Could be worth exploring integration as an additional feature similar to
> Convert to trusted PDF.
Well, this indeed could be useful. Also, running such tool in DispVM
makes sense. But the security model here is very different than PDF
converter. In PDF converter we have two parts:
- complex one: rendering PDF in DispVM, returning "simple
representation"
- simple one - running in calling VM, responsible for parsing
trivial(!) format returned data from the first part and assembling it
back into PDF
In ODFCleaner I don't see any simple representation in between. So, if
that code got exploited(*), the resulting file may still be hostile.
So, running this tool in DispVM may be useful to guard file-storing VM.
But it will not guarantee that the output file is safe.
(*) which is IMO less likely for this code, than for full LibreOffice.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaCBAhAAoJENuP0xzK19csVNwH/RdxcXuwAQzj8qeNW+q+APQm
61bAvYpuUo9dmzF+t3rTxfiWUGDygKDhIu7M1UJL7QTCGeHZxjrsERx8luIg6+hy
ig7pm4sKHhnA/oA+EP54KudWYwJ7KGCDfs1nuZO6LEUC3NXsrFuFAc1yAQmVYkn2
XWo0E1gkBrVt8TG2Z4Dq/7ueFl0G63b00vuo4V4gA4uUV0i/5whnmGtmZqbwBvx3
yQDcCUmeNbESQXfxI79s/QlD8CKyNQCBld1dLxG/8aJCTmKXbS6Pwv+94xCtL6ht
5lGL8XhH7yb8a/6I2V7O5AyapylOEt6xUkYV8KxVUiDzsASRmdT+8bF8Mlu/CI8=
=v/S/
-----END PGP SIGNATURE-----