Bug 114221 - Calc corrupts password-protected XLS on save (Save as works) - newer MSO 2013 encryption saved as unencrypted file with encryption mode
Summary: Calc corrupts password-protected XLS on save (Save as works) - newer MSO 2013...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
5.3.0.3 release
Hardware: All All
: medium major
Assignee: Caolán McNamara
URL:
Whiteboard: target:6.1.0 target:6.0.1 target:5.4.5
Keywords: dataLoss, implementationError
Depends on:
Blocks: Password-Protected XLS
  Show dependency treegraph
 
Reported: 2017-12-03 09:20 UTC by francis-marylene
Modified: 2018-01-30 15:33 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
Snapshot of the requested password to open file (38.99 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document)
2017-12-04 21:42 UTC, francis-marylene
Details
Similar file - No issue (374.50 KB, application/vnd.ms-excel)
2017-12-06 21:11 UTC, francis-marylene
Details
File with bug - Password not found (239.00 KB, application/vnd.ms-excel)
2017-12-06 21:11 UTC, francis-marylene
Details
Sample XLS created in Excel (password: 1234) (25.00 KB, application/vnd.ms-excel)
2017-12-06 23:04 UTC, Aron Budea
Details
File with bug - recovered (239.00 KB, application/vnd.ms-excel)
2017-12-10 05:07 UTC, Aron Budea
Details

Note You need to log in before you can comment on or make changes to this bug.
Description francis-marylene 2017-12-03 09:20:52 UTC
Description:
I have edited a .xls file (initialy created with Excel) with LibreOffice 5.3 (Installed on my computer a few days ago. This .xls file has been protected with a password).
I have edited/opened the file once and closed it after a few modifications. Now it is mpossible to open it a second time as the pop-up window indicates in French "Password is incorrect. Impossible to open the file". For sure, I have not changed the password when saved the previous time. I am in big trouble because I cannot open/edit anymore my .xls file.
What is the solution to open it again?
Thanks in advance for your help.


Steps to Reproduce:
1.Open an Excel spreadsheet
2.Gets window = ''This document contains macros. Macro execution is desactivated. ... sommes fonctionalities not available''
3.After the file is updated, I have saved it in Excel 97-2003 format (not in .odf

Actual Results:  
"Password is incorrect. Impossible to open the file"

Expected Results:
How can I open the file wich is important for me?


Reproducible: Always


User Profile Reset: No



Additional Info:
It points out that some functionnalities won't be available but nothing about the password which makes the access impossible for ever for current users such I.

Is someone going to help me? I am not used to communicate through this type of web site.
Thanks in advance for your help.


User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Comment 1 Buovjaga 2017-12-03 16:26:42 UTC
Does it ask the password upon file open? Or is only a sheet protected?
In any case, you have to use a password cracking tool, but we just need to find out which one.

In the future, never replace a file in the way you did, but save it under another name.
Comment 2 francis-marylene 2017-12-04 21:42:57 UTC
Created attachment 138221 [details]
Snapshot of the requested password to open file
Comment 3 francis-marylene 2017-12-04 21:44:44 UTC
Comment on attachment 138221 [details]
Snapshot of the requested password to open file

Hello,

Thanks very much for your help.
 

Question : Does it ask the password upon file open?

Answer : Yes, it asks the password upon file open. Please see attached file


Yes, next time I know I should save the file under another name. I thought it was possible to open, edit, save .xls or .xlsx with any software (Office or LibreOffice).

For information, initial Excel password was a rather simple password built with 4 numbers (1 through 9). Now I have no idea how many digits and which type of caracters are in the new password assigned by CALC.


I have already had the file scanned by the tool : Advanced Office 97 Password Recovery. Although I set this tool o scan all types of caracteres from 1 up to 5 digits, it failed to find out the password.


I look forward to hearing from you.

Francis HERBERT
Comment 4 Buovjaga 2017-12-05 13:30:21 UTC
What about the original .xls file, you don't have it anymore? Anyway, we would require the original file + original password to confirm the bug.
Comment 5 francis-marylene 2017-12-06 21:11:14 UTC
Created attachment 138254 [details]
Similar file - No issue
Comment 6 francis-marylene 2017-12-06 21:11:55 UTC
Created attachment 138255 [details]
File with bug - Password not found
Comment 7 francis-marylene 2017-12-06 21:21:09 UTC
Please find 2 files attached :
 - The first one (CA2016 OK.xls) with password (6061)which is correct
 - The second one (CA2017 with bug.xls)wich is corrupted (Same initial password 6061)
Both files are similar, one for year 2016 and one for year 2017

With the first one and after having done a copy (as recommended by you), I can reproduce the bug. Steps : I open the file with CALC, type the password, may do any change in the file, save the file. Then when I try to open it again with either CALC or EXCEL, I get the error "Password is incorrect. Impossible to open the file"

I have no correct copy of the second one. It is impossible to open it with either software. I get the same error message.
Comment 8 Aron Budea 2017-12-06 22:51:55 UTC
Thanks for the sample, Francis!
Reproduced using 6.0beta1 & 5.3.0.3 / Windows 7. Assuming the bug isn't OS dependent, unless claimed otherwise.
Also, it only occurs if you save the file, not when you do Save As.

The import of encryption was added with the commit referenced below. Caolán, could you please check what is going wrong here?

https://cgit.freedesktop.org/libreoffice/core/commit/?id=1473ce030314027c01c98f513407ed0897328585
author		Caolán McNamara <caolanm@redhat.com>	2016-10-20 16:07:11 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2016-10-21 11:16:11 +0100

implement CryptoAPI RC4+SHA1 encryption scheme for xls import
Comment 9 Aron Budea 2017-12-06 23:04:33 UTC
Created attachment 138257 [details]
Sample XLS created in Excel (password: 1234)

Apparently it's easy to reproduce, here's a minimal sample created in Excel 2013, password is 1234, simply open, save and try to reopen.
Comment 10 francis-marylene 2017-12-07 20:00:37 UTC
You are right, it works great when saving the file with "Save as". I am able to open it again.
What about the file which is corrupted (CA2017)? I really would like to open it again. Do you have a way to recover it?
Thanks very much to you guys.
I really appreciate your help.
Francis
Comment 11 Timur 2017-12-08 08:14:37 UTC Comment hidden (obsolete)
Comment 12 Aron Budea 2017-12-09 03:20:51 UTC Comment hidden (obsolete)
Comment 13 Aron Budea 2017-12-10 05:07:50 UTC
Created attachment 138338 [details]
File with bug - recovered

(In reply to francis-marylene from comment #10)
> What about the file which is corrupted (CA2017)? I really would like to open
> it again. Do you have a way to recover it?
I have good news for you, the file is recoverable, I'm attaching it, it's unencrypted now.

When the user simply saves the file, it saves as an unencrypted file, but sets encryption mode for it, thus it fails decryption. I could open the bad file by setting a breakpoint at the following line, and skipping to the end of the function:

rStrm.SetDecrypter( xDecr );
https://opengrok.libreoffice.org/xref/core/sc/source/filter/excel/xicontent.cxx#1247

Then the file could be saved, and is saved unencrypted.

The bug only affects files having this newer encryption (>= MS Office 2013), when they are saved (via save as, since that works), the scheme reverts to the older one, opening and saving those files keeps the format and encryption.
Comment 14 Aron Budea 2017-12-10 05:12:16 UTC
This also means the file actually becomes corrupted, it's not just a changed password.
Comment 15 francis-marylene 2017-12-10 19:57:07 UTC
Thanks very much Aron and other guys in providing me so much information and the way I should save.
Thanks a ot for having recovered the corrupted file.
You are really a great community.
Best Regards
Francis
Comment 16 Caolán McNamara 2017-12-15 17:39:22 UTC
seeing as msword/excel has two ways to encrypt we should probably generate the keydata for *both* ways when we decrypt before we throw away the password so when we do save (as the old way) we have the correct format data on hand
Comment 17 Commit Notification 2018-01-26 15:45:28 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=2372003d94d3c58d90f6af524e916a2aa761cee2

Resolves: tdf#114221 generate both std97 and cryptoapi keys from password..

It will be available in 6.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 18 Caolán McNamara 2018-01-26 15:46:41 UTC
That should do it. Backport to 6-0 in gerrit
Comment 19 Commit Notification 2018-01-29 12:07:23 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-6-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=b5914ba44f2fff9f282b6a5cbe21cbebf19e45b2&h=libreoffice-6-0

Resolves: tdf#114221 generate both std97 and cryptoapi keys from password..

It will be available in 6.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 20 Commit Notification 2018-01-30 15:33:00 UTC
Caolán McNamara committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=82e74f704ce4fe3ffe7ab74c14fe83d2d44dd088&h=libreoffice-5-4

Resolves: tdf#114221 generate both std97 and cryptoapi keys from password..

It will be available in 5.4.5.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.