Bug 93389 - Document recovery strips encryption
Summary: Document recovery strips encryption
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: filters and storage (show other bugs)
Version:
(earliest affected)
4.4.5.2 release
Hardware: Other All
: high major
Assignee: Mike Kaganski
URL:
Whiteboard: target:6.5.0 target:6.4.2 target:6.3.6
Keywords:
: 116327 (view as bug list)
Depends on:
Blocks: AutoSave-AutoRecovery-Backup Document-Recovery
  Show dependency treegraph
 
Reported: 2015-08-12 15:36 UTC by DN
Modified: 2020-03-05 10:57 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description DN 2015-08-12 15:36:44 UTC
When recovering an encrypted document, LibreOffice asks for the password to decrypt the original, then "forgets" that is encrypted.

Subsequently saving the document saves it without encryption, without warning.

This can very easily lead to silent stripping of the password on the recovered document, which will go un-noticed unless/until the user subsequently opens the document and also realises that they were not asked for a password.

I'm assuming that when LO opens an encrypted document it caches the password for subsequent saving; in this case it should be possible to also cache at the point of opening/decrypting the original during recovery.

Given that this results in silent loss of encryption I have set the issue severity to major.
Comment 1 sophie 2015-08-25 12:21:57 UTC
Hi, can you provide a sample corrupted document (and its password) so we can make some tests with it and what is your operating system. Thanks, setting as needinfo - Sophie
Comment 2 DN 2015-09-04 16:59:27 UTC
I ran a set of tests against different document types, and this actually only affects OOXML documents.

Steps to reproduce:

* Start Calc (or Writer, etc.)
* Under Options -> Load/Save -> General, make sure "Save AutoRecovery information" is checked, and "Automatically save the document" is unchecked (these were the defaults already for me)
* Change auto-recovery interval to 1 minute (for speed of reproduction)
* Save the document with encryption as .xlsx (or .docx, etc.)
* Close the document, and completely quit LibreOffice
* Open the document
* Make a change
* Wait at least 1 minute
* Force-kill the soffice.bin process (on Linux: pkill -9f soffice.bin)
* Start Calc (or Writer etc.)
* Complete document recovery
* Make a change
* Save the document (Ctrl-S or click the save icon)
* Close the document
* Open it again

The document no longer has a password.
Comment 3 QA Administrators 2017-05-22 13:38:43 UTC Comment hidden (obsolete)
Comment 4 DN 2017-05-22 16:21:49 UTC
Still present, 5.2.7.2
Comment 5 Xisco Faulí 2017-07-27 09:26:36 UTC Comment hidden (obsolete)
Comment 6 DN 2017-07-27 10:43:17 UTC Comment hidden (no-value)
Comment 7 Xisco Faulí 2017-07-27 10:49:36 UTC Comment hidden (obsolete)
Comment 8 DN 2017-07-27 10:56:08 UTC Comment hidden (no-value)
Comment 9 DN 2017-07-27 10:57:35 UTC
And just as a reminder:

* this is a serious document security issue - it SILENTLY strips document encryption following an application crash
Comment 10 Julien Nabet 2018-03-10 07:45:24 UTC
*** Bug 116327 has been marked as a duplicate of this bug. ***
Comment 11 Julien Nabet 2018-03-10 07:48:39 UTC
The dup allowed to confirm this one.
Let's increase the importance given the security problem it indeed brings.
Comment 12 DN 2018-03-10 11:49:31 UTC Comment hidden (no-value)
Comment 13 Julien Nabet 2018-03-10 13:08:24 UTC Comment hidden (no-value)
Comment 14 DN 2018-03-10 13:38:08 UTC Comment hidden (no-value)
Comment 15 Stephen Hemminger 2018-03-10 16:55:32 UTC
Do I need to file a CVE on this for it to get attention it deserves a potential security issue?
Comment 16 QA Administrators 2019-10-07 03:01:28 UTC Comment hidden (obsolete)
Comment 17 DN 2019-11-09 11:09:56 UTC
Still exists in 6.3.2.2.
Comment 18 Commit Notification 2020-01-04 06:41:22 UTC
Mike Kaganski committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/dd198398b6e5c84ab1255a90ef96e6445b66a64f

tdf#93389: keep encryption information for autorecovered MS formats

It will be available in 6.5.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 19 Mike Kaganski 2020-02-08 18:55:45 UTC
*** Bug 129096 has been marked as a duplicate of this bug. ***
Comment 20 Commit Notification 2020-02-10 15:19:41 UTC
Mike Kaganski committed a patch related to this issue.
It has been pushed to "libreoffice-6-4":

https://git.libreoffice.org/core/commit/2cd3632ac93169ad3c082ff4fb740c3d3dfff071

tdf#93389: keep encryption information for autorecovered MS formats

It will be available in 6.4.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 21 Commit Notification 2020-02-10 15:37:31 UTC
Mike Kaganski committed a patch related to this issue.
It has been pushed to "libreoffice-6-3":

https://git.libreoffice.org/core/commit/b6809c72b509fcc223c80595d554902a1b4f4e24

tdf#93389: keep encryption information for autorecovered MS formats

It will be available in 6.3.6.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 22 Vasily Melenchuk (CIB) 2020-02-11 10:17:30 UTC
Problem is still reproducible with scenario from https://bugs.documentfoundation.org/show_bug.cgi?id=129096

Tested with master on Win10.
Comment 23 Mike Kaganski 2020-02-11 11:05:05 UTC
(In reply to Vasily Melenchuk (CIB) from comment #22)
> Problem is still reproducible with scenario from
> https://bugs.documentfoundation.org/show_bug.cgi?id=129096

Just tested with Version: 7.0.0.0.alpha0+ (x64)
Build ID: d2dfda8aba7701d19001d7a080d965a83e30443f
CPU threads: 12; OS: Windows 10.0 Build 18363; UI render: GL; VCL: win; 
Locale: ru-RU (ru_RU); UI-Language: en-US
Calc: CL

and couldn't repro. Created an empty doc in Writer; saved it with password "1" as DOCX; reopened to make sure it asks for the password; entered a word; let it wait an auto-save; killed soffice.bin using task manager; started soffice and got a recovery prompt; agreed and was asked the password; entered the password and got successful recovery with the entered word; pressed Save button and was asked to confirm saving as DOCX (no password prompt); saved and reopened => it asked for the password.
Comment 24 Mike Kaganski 2020-02-11 11:09:39 UTC
Aha, see it when not waited for autosave.
Comment 25 Vasily Melenchuk (CIB) 2020-02-11 11:13:33 UTC
Yes, without autosave LO still losing password.

I have ugly hack for this situation https://gerrit.libreoffice.org/c/core/+/84039
But have no good ideas how to improve it.
Comment 26 Vasily Melenchuk (CIB) 2020-03-05 10:57:30 UTC
tdf#129096 is fixed in a separate way. Returning this task to RESOLVED state