Description: The password protection system in LibreOffice Calc 24.2.0.3 seems to have serious deficits. Please see the following bug for the first bug I found: https://bugs.documentfoundation.org/show_bug.cgi?id=159512 This bug is even more severe. I discovered that ODS files saved with passwords by LibreOffice Calc 24.2.0.3 (X86_64) can be opened without providing any password. STR below. Steps to Reproduce: 1. Open LibreOffice Calc. 2. Create a new spreadsheet or open an existing spreadsheet. 3. Save the spreadsheet as an ODS file with a password. 4. Close LibreOffice Calc. 5. Open LibreOffice Calc. 6. Open the file saved in step 3. 7. Notice that LibreOffice Calc does not ask for a password, but will open the file. Actual Results: Can open password-protected files without any password. Expected Results: Password needed to open password-protected files. Reproducible: Always User Profile Reset: Yes Additional Info: Version: 24.2.0.3 (X86_64) / LibreOffice Community Build ID: da48488a73ddd66ea24cf16bbc4f7b9c08e9bea1 CPU threads: 4; OS: Windows 6.1 Service Pack 1 Build 7601; UI render: Skia/Raster; VCL: win Locale: en-US (en_US); UI: en-US Calc: CL threaded
Created attachment 192336 [details] "Password protected" file that can be opened without any password. The attached password protected ODS file was created in LibreOffice Calc 24.2.0.3, but can be opened without any password. The password, though not needed, is `criticalbug2`.
Thanks for the report. I can't reproduce on Linux, I am prompted to enter the password: Version: 24.2.0.3 (X86_64) / LibreOffice Community Build ID: da48488a73ddd66ea24cf16bbc4f7b9c08e9bea1 CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 Locale: en-AU (en_AU.UTF-8); UI: en-US Calc: threaded Let's see if it's Windows-specific.
Not reproduced from scratch. Version: 24.2.0.3 (X86_64) / LibreOffice Community Build ID: da48488a73ddd66ea24cf16bbc4f7b9c08e9bea1 CPU threads: 2; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win Locale: en-US (en_US); UI: en-US Calc: threaded
(In reply to Stéphane Guillou (stragu) from comment #2) > Thanks for the report. > > I can't reproduce on Linux, I am prompted to enter the password: > > Version: 24.2.0.3 (X86_64) / LibreOffice Community > Build ID: da48488a73ddd66ea24cf16bbc4f7b9c08e9bea1 > CPU threads: 8; OS: Linux 5.15; UI render: default; VCL: gtk3 > Locale: en-AU (en_AU.UTF-8); UI: en-US > Calc: threaded > > Let's see if it's Windows-specific. For clarity, did you try reproducing using the STR, the attachment, or both? If you only tried the STR, would you mind trying the attachment?
the attached file does not have encrypted streams, but the XML streams in it do have the random comment at the start that is only produced when the file should be encrypted... very odd... so the XML filter component believes it is an encrypted file, but the package component believes it is unencrypted? can't reproduce it with current master
(In reply to Jimmy from comment #0) > Additional Info: > Version: 24.2.0.3 (X86_64) / LibreOffice Community > Build ID: da48488a73ddd66ea24cf16bbc4f7b9c08e9bea1 > CPU threads: 4; OS: Windows 6.1 Service Pack 1 Build 7601; UI render: > Skia/Raster; VCL: win > Locale: en-US (en_US); UI: en-US > Calc: CL threaded I have to wonder whether the problem is specifically on your Win *7* OS that has *no* Internet connection. I also wonder whether using LibreOffice for Windows 32 bits would have a different result in the same exact Windows 6.1 Service Pack 1 Build 7601 OS (instead of LO X86_64). Maybe just testing on some other Windows version and/or on 64 bits will not be enough to reproduce the issue either.
another thing to try is if it reproduces with a fresh user profile... maybe there's some setting that has an unexpected effect on this.
Michael Stahl committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/58c31ded0264103769595a1b25739b0e8df571cd tdf#159519 comphelper,package: do not store document without SHA256 It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Stahl committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/0690f3b7b981417a7b1f2fffd87c593a2a2a15d5 tdf#159519 libxmlsec: avoid linking function not existent in Windows 7 It will be available in 24.8.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
fixed on master the problem was that upgrading libxmlsec to 1.3.0 introduced a dependency on a function that doesn't exist on Windows 7, so a DLL failed to load, so LO couldn't create a SHA256 hash, and this error was handled in the worst possible way by storing the document without encryption.
*** Bug 159521 has been marked as a duplicate of this bug. ***
*** Bug 159512 has been marked as a duplicate of this bug. ***
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-24-2": https://git.libreoffice.org/core/commit/003f2ac9fcac9be5156adf280beaf4e2aa499ea5 tdf#159519 comphelper,package: do not store document without SHA256 It will be available in 24.2.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-24-2": https://git.libreoffice.org/core/commit/cac153edee56ac2e57e60de1d0f77265ed48bd91 tdf#159519 libxmlsec: avoid linking function not existent in Windows 7 It will be available in 24.2.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
(In reply to Michael Stahl (allotropia) from comment #10) > fixed on master Confirmed on Windows 7 x86 (32bits). > > the problem was that upgrading libxmlsec to 1.3.0 introduced a dependency on > a function that doesn't exist on Windows 7, so a DLL failed to load, so LO > couldn't create a SHA256 hash, and this error was handled in the worst > possible way by storing the document without encryption. IIUC (and I could very well be misunderstanding), this is a security problem, at least for users. A file using the new password protection method – or whichever the correct terminology should be – introduced in LO 24.2 would be vulnerable, as anyone using LO 24.2.0.3 on Windows 7 would be able to open (and edit?) such file without having to use the password.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-24-2-1": https://git.libreoffice.org/core/commit/016b75f8289276468cde320067ae3519fdeb94f4 tdf#159519 libxmlsec: avoid linking function not existent in Windows 7 It will be available in 24.2.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Michael Stahl committed a patch related to this issue. It has been pushed to "libreoffice-24-2-1": https://git.libreoffice.org/core/commit/96861294836862f8a051a9d6dd390ab15c0460e4 tdf#159519 comphelper,package: do not store document without SHA256 It will be available in 24.2.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
I've reproduced the steps of the first message and I'm asked for a password, so from my side, I can confirm it's fixed on 24.2.1.2. Version: 24.2.1.2 (X86_64) / LibreOffice Community Build ID: db4def46b0453cc22e2d0305797cf981b68ef5ac CPU threads: 16; OS: Windows 10.0 Build 22631; UI render: Skia/Raster; VCL: win Locale: es-ES (es_ES); UI: es-ES Calc: CL threaded