Bug 71281 - [SECURITY] Password removed from ODS file when saving to XLS, XLT...
Summary: [SECURITY] Password removed from ODS file when saving to XLS, XLT...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
4.1.3.2 release
Hardware: Other Windows (All)
: medium major
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
: 125114 (view as bug list)
Depends on:
Blocks: XLSX Password-Protected XLS
  Show dependency treegraph
 
Reported: 2013-11-05 20:53 UTC by Mikeyy - L10n HR
Modified: 2019-05-07 20:30 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments
Test password file (8.39 KB, application/vnd.oasis.opendocument.spreadsheet)
2013-11-05 20:53 UTC, Mikeyy - L10n HR
Details
password forget (12.13 KB, application/vnd.oasis.opendocument.spreadsheet)
2019-03-24 10:53 UTC, durgarao_8in
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikeyy - L10n HR 2013-11-05 20:53:08 UTC
Created attachment 88730 [details]
Test password file

This is a security breach bug.

Take any password protected ODS file. For example I made simple ODS file, locked down sheet and document, you cannot even select cells.

1. Open attached file.
2. Save As -> XLS file
3. You will be prompted that passwords aren't hash compatible and if you want to select new password.
4. Select to rewrite password and then select to remove password.
5. After you finish, go to TOOLS - PROTECT DOCUMENT and remove protection from sheet and document.

In 4th step, you can also choose new password instead of removing old, you just need to uncheck "Same password as old password" checkbox.

This affects XLS, XLT, but not XLSX.
Not sure if it affects other formats.
Comment 1 Tomaz Vajngerl 2013-11-06 14:33:44 UTC
This is weird - why is retyping even needed. I saved ODS to XLSX and then reopened the XLSX file and saved as XLS. In this case there was no prompt to retype the password and the XLS was still protected. If it goes from ODS->XLSX->XLS then it must also go from ODS->XLS without the prompt to retype the password.

Anyway - all we need to do is to add a check for the old password in the "Re-type password" Dialog.
Comment 2 Mikeyy - L10n HR 2013-11-06 19:44:19 UTC
Removing password or changing it should have mandatory "Type old password first" prompt.
It looks like you can pretty much crack open any ODS file like this.
Comment 3 Tomaz Vajngerl 2013-11-06 20:51:13 UTC
> It looks like you can pretty much crack open any ODS file like this.

Yes.. now you can. However sheet protection does not encrypt the document anyway so you can easily unzip and remove the protection from the xml file if you want to get rid of the protection.

I will take a look at this bug when time permits. If someone wants to take this bug please say.
Comment 4 QA Administrators 2016-02-21 08:36:40 UTC Comment hidden (obsolete, spam)
Comment 5 durgarao_8in 2019-03-24 10:53:48 UTC
Created attachment 150249 [details]
password forget
Comment 6 m.a.riosv 2019-05-07 20:30:09 UTC
*** Bug 125114 has been marked as a duplicate of this bug. ***