FYI: LO's security system is compromised, please be careful

Sayt_Bahal · January 29, 2014, 2:38pm

It turned out that LibreOffice has a security-related issue (
https://bugs.freedesktop.org/show_bug.cgi?id=51819), that makes it save the
AutoRecovery files for password-protected documents without any protection
(encryption).

It essentially means, that with AutoRecovery enabled (which is the default):
- after an application or system crash (eg. a power failure) anybody can
recover the document without knowing the password (the document 'loses' its
password)
- anybody who has access to the system drive (eg. through the network)
while you are editing a document can open it without knowing the password
- anybody who has physical access to your system hard drive, now or in the
future (at worst even months/years after the actual editing), has the
chance to unerase the document and open it without knowing the password

If you use password-protection a lot and are concerned about the security
of your documents, it could be advisable to switch the AutoRecovery feature
off until the bug gets fixed.

The issue applies to all LibreOffice modules (Writer, Calc, Draw, ...) and
was introduced in version 3.4.6 (March 2012).

Cley_Faye · January 29, 2014, 3:07pm

Hmm. On a general note, one should know that a lot of applications (all?)
have a tendancy to leak information through temporary files, caching,
memory swapping... And appropriate care should be taken if you're
manipulating sensitive informations: system drive NOT available through
network, encrypted temp partition, encrypted swap (with random key), not
leaving the computer unattended while powered (even if the screen's locked,
it's a liability because full-disk encryption keys might be recoverable
from RAM), etc.

More specific to LO now: this issue, if it works as advertised (didn't
check thoroughly, but on Linux LO 4.1.4.2 the issue exists), doesn't come
from some side-effect of our moderns OS, but is directly linked with LO.

Maybe a solution would be to automatically disable temporary
backup/recovery when opening a file with a password. Unfortunately I'm not
very familiar with LO codebase, but perhaps such a solution would be easy
enough to implement to bring current developpers attention on it.
At least it's significantly easier (and safer!) than trying to remember the
document key, save the recovery data encrypted, change the recovery dialog
to handle these cases, etc. Of course one would lose the ability to use
recovery for encrypted documents, but it's not necessarily a bad thing

Note that if your document is really sensitive, the fact that it's
encrypted when saving doesn't mean that it's safe: if you're not cautious
about your whole system, entire parts of the file can end up on swap anyway
as you're working on it (it have to be in clear in the RAM at some
point...).

For what it's worth, one short-term solution is to have the temporary place
encrypted. For example, on some Linux systems (namely Ubuntu, don't know
for others) you can chose to encrypt your home folder, which happen to
contain the backup path used by LO. This doesn't protect you from network
access, but that's only relevant if you set open network access to your
home folder, including config files in hidden directories... Which I hope
is not that common.

Tom_Davies1 · January 29, 2014, 3:31pm

Hi
Password protection is usually just a polite request.

Users choose such dumb passwords especially if they have to share.
Then they keep passwords written down!! and in such stupid places that
it's usually VERY easy for anyone to break in.

First guess is that they cleverly used "password". It's usually
written on a post-it note stuck to the screen, or keyboard or some
extremely cautious people write it on the underside of their keyboard.
Apparently almost everyone uses dictionary words (i don't and
hopefully most here don't but mine aren't brilliant either) so someone
interested enough to watch a 5min YouTube video could break in within
a couple of minutes. Usually a LOT less time than a legitimate worker
trying to honestly open the file for legitimate reasons.

This thread makes it sound like MS protection is better. It isn't.
Just double click on it to open in LibreOffice, or OpenOffice, and
probably most other such programs = or open the program and drag the
file in to open it with the program that way.

My company's finance department wanted me to fix a problem with one of
their files and i did so before they could even give me the password!!
I hadn't realised there had been any password protection.
Regards from
Tom

Joel_Madero · January 29, 2014, 11:49pm

And for those really interested - we did recommend for those who are
really concerned about security to encrypt your drive as it really *is*
the way to protect data. Just to give a full picture of the situation.

Additionally, we have requested that the OP actually help a bit and
track down what exact version it was created as a regression which
wasn't done. This will at least help a little towards finding a solution.

If someone else will actually do some of the work:
http://downloadarchive.documentfoundation.org/libreoffice/old/

We just need to install/remove until we find exactly what point the bug
is introduced. No promise that this will lead to a fast fix, but it's an
actual step towards a solution that is productive.

So 3.3.4 seems to work - going forward from that point if someone could
track down the exact version that would be useful.

Best,
Joel

Sayt_Bahal · January 30, 2014, 6:30am

Sorry, just have seen this (different time zone), will do the work, but it
will take some time.
I think debugging the spot mentioned in the report would also help (but I
cannot do that).

Tom_Davies1 · January 30, 2014, 12:34pm

Hi
We are mostly all in different time-zones so don't worry.

Best way of using any security is to use it in combination with other
types of security. ie, find some way of discouraging people from
putting post-its in obvious places.

Perhaps make it into some sort of game? I'd be tempted to collect the
post-its into a draw so that people forgetting what was written on the
post it have to shuffle through the draw and see the types of
passwords other people are using and see how many use the same
password as each other. Perhaps point out that everyone can easily
login to their machine and see all those pics they shouldn't have or
use their machine to download dodgy pics to pass the blame. Ok, those
are too evil for me to actually do myself but someone with a lot of
charisma might be able to get away with that sort of thing.

Regards from
Tom