| Summary: | [SECURITY] Password removed from ODS file when saving to XLS, XLT... | ||
|---|---|---|---|
| Product: | LibreOffice | Reporter: | Mikeyy - L10n HR <mihovil> |
| Component: | Calc | Assignee: | Not Assigned <libreoffice-bugs> |
| Status: | NEW --- | ||
| Severity: | major | CC: | jluth, marina.latini, peergynnt, quikee, yuki.bot |
| Priority: | medium | ||
| Version: | 4.1.3.2 release | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: | https://bugs.freedesktop.org/show_bug.cgi?id=71322 | ||
| Whiteboard: | |||
| Crash report or crash signature: | Regression By: | ||
| Bug Depends on: | |||
| Bug Blocks: | 108897, 108914, 109072 | ||
| Attachments: |
Test password file
password forget |
||
This is weird - why is retyping even needed. I saved ODS to XLSX and then reopened the XLSX file and saved as XLS. In this case there was no prompt to retype the password and the XLS was still protected. If it goes from ODS->XLSX->XLS then it must also go from ODS->XLS without the prompt to retype the password. Anyway - all we need to do is to add a check for the old password in the "Re-type password" Dialog. Removing password or changing it should have mandatory "Type old password first" prompt. It looks like you can pretty much crack open any ODS file like this. > It looks like you can pretty much crack open any ODS file like this.
Yes.. now you can. However sheet protection does not encrypt the document anyway so you can easily unzip and remove the protection from the xml file if you want to get rid of the protection.
I will take a look at this bug when time permits. If someone wants to take this bug please say.
** Please read this message in its entirety before responding ** To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present on a currently supported version of LibreOffice (5.0.5 or 5.1.0) https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the version of LibreOffice and your operating system, and any changes you see in the bug behavior If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a short comment that includes your version of LibreOffice and Operating System Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) http://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to "inherited from OOo"; 4b. If the bug was not present in 3.3 - add "regression" to keyword Feel free to come ask questions or to say hello in our QA chat: http://webchat.freenode.net/?channels=libreoffice-qa Thank you for your help! -- The LibreOffice QA Team This NEW Message was generated on: 2016-02-21 Created attachment 150249 [details]
password forget
*** Bug 125114 has been marked as a duplicate of this bug. *** Dear Mikeyy - L10n HR, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug Dear Mikeyy - L10n HR, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug I can repro this, but the question is: If you really want to encrypt the document such that no one can open it without a password, why don't you try "File"->"Save as..." and check the checkbox for "Save with password", which will ask you to type a password on save, and afterward the document will be encrypted. |
Created attachment 88730 [details] Test password file This is a security breach bug. Take any password protected ODS file. For example I made simple ODS file, locked down sheet and document, you cannot even select cells. 1. Open attached file. 2. Save As -> XLS file 3. You will be prompted that passwords aren't hash compatible and if you want to select new password. 4. Select to rewrite password and then select to remove password. 5. After you finish, go to TOOLS - PROTECT DOCUMENT and remove protection from sheet and document. In 4th step, you can also choose new password instead of removing old, you just need to uncheck "Same password as old password" checkbox. This affects XLS, XLT, but not XLSX. Not sure if it affects other formats.