libreoffice password protection doesn't work

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 16 Nov 2022 02:08
(name . bug-guix)(address . bug-guix@gnu.org)
87sfijln98.fsf@gmail.com
Hi,

When password-protecting (encrypting) a file with LibreOffice, it fails
silently, leaving the file unprotected (!).

Reproducer:

1. Launch Calc with 'libreoffice --calc'.
2. Input something in the first cell.
3. Select File -> Save As. At the bottom left of the dialog box, make
sure to tick the "Save with password" box. Give it a name,
e.g. very-secret.ods, then click on "Save".
4. Enter a dummy password, such as 1234.
5. Quit LibreOffice Calc.

6. Open the assumed protected file, with 'libreoffice --calc
very-secret.ods'. Notice the file is open without any password.

No output is printed at the console, and if you have an truly
password-encrypted file, it won't be able to open it.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 17 Feb 2023 21:43
(address . 59292@debbugs.gnu.org)
87ilg0qazj.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (21 lines)
> Hi,
>
> When password-protecting (encrypting) a file with LibreOffice, it fails
> silently, leaving the file unprotected (!).
>
> Reproducer:
>
> 1. Launch Calc with 'libreoffice --calc'.
> 2. Input something in the first cell.
> 3. Select File -> Save As. At the bottom left of the dialog box, make
> sure to tick the "Save with password" box. Give it a name,
> e.g. very-secret.ods, then click on "Save".
> 4. Enter a dummy password, such as 1234.
> 5. Quit LibreOffice Calc.
>
> 6. Open the assumed protected file, with 'libreoffice --calc
> very-secret.ods'. Notice the file is open without any password.
>
> No output is printed at the console, and if you have an truly
> password-encrypted file, it won't be able to open it.

Attached is a sample ODS file, produced on a different GNU/Linux
distribution immune to the problem. The password is: "1234".
Attachment: password-protected-spreadsheet.ods
When attempting to open it with our LibreOffice, it says: "The password
is incorrect. The file cannot be opened.", which is a lie.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 05:27
(address . 59292@debbugs.gnu.org)
877cwfr42x.fsf@gmail.com
Hi,

It may have to do with not correctly finding the "libnssckbi.so" share
library, which is from NSS. Here's what tipped me to it, in strace
output:

Toggle snippet (16 lines)
13 matches for "ckbi" in buffer: *scratch*
169:[pid 2594] openat(AT_FDCWD, "/home/maxim/.thunderbird/sjp3hftb.default/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
171:[pid 2594] openat(AT_FDCWD, "/gnu/store/rrid5nx9cbrq0flkhc1rv4b5hk4w70ib-nspr-4.34/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
172:[pid 2594] openat(AT_FDCWD, "/gnu/store/5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
173:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
174:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
176:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
178:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
180:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
182:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
184:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
186:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
188:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
190:[pid 2594] openat(AT_FDCWD, "/gnu/store/5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

It never resolves libnssckbi.so.

LibreOffice attempts to load this library in
xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
'nsscrypto_initialize' procedure.

The library appears to be dynamically loaded via SECMOD_LoadUserModule.
Perhaps we can patch 'OUString rootModule("libnssckbi"
SAL_DLLEXTENSION)' to its full name. Some more output, after building
libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
environment variable:

Toggle snippet (8 lines)
info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138: Can't write encryption related properties com.sun.star.uno.RuntimeException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274: Rethrow com.sun.star.io.IOException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243 at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"

So it seems to cause an error, which is apparently ignored.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 05:32
(address . 59292@debbugs.gnu.org)
87zg9bpp9h.fsf@gmail.com
Hi again,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

[...]

Toggle quote (21 lines)
> It never resolves libnssckbi.so.
>
> LibreOffice attempts to load this library in
> xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
> 'nsscrypto_initialize' procedure.
>
> The library appears to be dynamically loaded via SECMOD_LoadUserModule.
> Perhaps we can patch 'OUString rootModule("libnssckbi"
> SAL_DLLEXTENSION)' to its full name. Some more output, after building
> libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
> environment variable:
>
> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
> info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
> warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
> warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138: Can't write encryption related properties com.sun.star.uno.RuntimeException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
> info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274: Rethrow com.sun.star.io.IOException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243 at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"
>
> So it seems to cause an error, which is apparently ignored.

I confirm this is the problem. A workaround is to augment
LD_LIBRARY_PATH, e.g.:

Toggle snippet (3 lines)
"LD_LIBRARY_PATH=/gnu/store/...-nss-3.81/lib/nss:$LD_LIBRARY_PATH /gnu/store/...-libreoffice-7.5.0.3/bin/libreoffice --calc"

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 21:00
(address . 59292-done@debbugs.gnu.org)
87zg9aoibi.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (41 lines)
> Hi again,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>
> [...]
>
>> It never resolves libnssckbi.so.
>>
>> LibreOffice attempts to load this library in
>> xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
>> 'nsscrypto_initialize' procedure.
>>
>> The library appears to be dynamically loaded via SECMOD_LoadUserModule.
>> Perhaps we can patch 'OUString rootModule("libnssckbi"
>> SAL_DLLEXTENSION)' to its full name. Some more output, after building
>> libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
>> environment variable:
>>
>> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
>> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
>> info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
>> warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
>> warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138:
>> Can't write encryption related properties
>> com.sun.star.uno.RuntimeException message: "No expected key is
>> provided! at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
>> info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274:
>> Rethrow com.sun.star.io.IOException message: "No expected key is
>> provided! at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243
>> at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"
>>
>> So it seems to cause an error, which is apparently ignored.
>
> I confirm this is the problem. A workaround is to augment
> LD_LIBRARY_PATH, e.g.:
>
> "LD_LIBRARY_PATH=/gnu/store/...-nss-3.81/lib/nss:$LD_LIBRARY_PATH /gnu/store/...-libreoffice-7.5.0.3/bin/libreoffice --calc"

I've reported the problem upstream [0], and push a fix for our package
with 9f21ca83a89a5e6c808b58fab0dc54b7785c26b7 ("gnu: libreoffice: Fix
password encryption issue.").

Closing!


--
Thanks,
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 59292@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 59292
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch