libreoffice password protection doesn't work

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote on 16 Nov 2022 02:08
(name . bug-guix)(address . bug-guix@gnu.org)
87sfijln98.fsf@gmail.com
Hi,

When password-protecting (encrypting) a file with LibreOffice, it fails
silently, leaving the file unprotected (!).

Reproducer:

1. Launch Calc with 'libreoffice --calc'.
2. Input something in the first cell.
3. Select File -> Save As. At the bottom left of the dialog box, make
sure to tick the "Save with password" box. Give it a name,
e.g. very-secret.ods, then click on "Save".
4. Enter a dummy password, such as 1234.
5. Quit LibreOffice Calc.

6. Open the assumed protected file, with 'libreoffice --calc
very-secret.ods'. Notice the file is open without any password.

No output is printed at the console, and if you have an truly
password-encrypted file, it won't be able to open it.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 17 Feb 2023 21:43
(address . 59292@debbugs.gnu.org)
87ilg0qazj.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (21 lines)
> Hi,
>
> When password-protecting (encrypting) a file with LibreOffice, it fails
> silently, leaving the file unprotected (!).
>
> Reproducer:
>
> 1. Launch Calc with 'libreoffice --calc'.
> 2. Input something in the first cell.
> 3. Select File -> Save As. At the bottom left of the dialog box, make
> sure to tick the "Save with password" box. Give it a name,
> e.g. very-secret.ods, then click on "Save".
> 4. Enter a dummy password, such as 1234.
> 5. Quit LibreOffice Calc.
>
> 6. Open the assumed protected file, with 'libreoffice --calc
> very-secret.ods'. Notice the file is open without any password.
>
> No output is printed at the console, and if you have an truly
> password-encrypted file, it won't be able to open it.

Attached is a sample ODS file, produced on a different GNU/Linux
distribution immune to the problem. The password is: "1234".
Attachment: password-protected-spreadsheet.ods
When attempting to open it with our LibreOffice, it says: "The password
is incorrect. The file cannot be opened.", which is a lie.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 05:27
(address . 59292@debbugs.gnu.org)
877cwfr42x.fsf@gmail.com
Hi,

It may have to do with not correctly finding the "libnssckbi.so" share
library, which is from NSS. Here's what tipped me to it, in strace
output:

Toggle snippet (16 lines)
13 matches for "ckbi" in buffer: *scratch*
169:[pid 2594] openat(AT_FDCWD, "/home/maxim/.thunderbird/sjp3hftb.default/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
171:[pid 2594] openat(AT_FDCWD, "/gnu/store/rrid5nx9cbrq0flkhc1rv4b5hk4w70ib-nspr-4.34/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
172:[pid 2594] openat(AT_FDCWD, "/gnu/store/5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
173:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
174:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
176:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
178:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
180:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../tls/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
182:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
184:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
186:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../x86_64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
188:[pid 2594] openat(AT_FDCWD, "/gnu/store/094bbaq6glba86h1d4cj16xhdi6fk2jl-gcc-10.3.0-lib/lib/gcc/x86_64-unknown-linux-gnu/10.3.0/../../../libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
190:[pid 2594] openat(AT_FDCWD, "/gnu/store/5h2w4qi9hk1qzzgi1w83220ydslinr4s-glibc-2.33/lib/libnssckbi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

It never resolves libnssckbi.so.

LibreOffice attempts to load this library in
xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
'nsscrypto_initialize' procedure.

The library appears to be dynamically loaded via SECMOD_LoadUserModule.
Perhaps we can patch 'OUString rootModule("libnssckbi"
SAL_DLLEXTENSION)' to its full name. Some more output, after building
libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
environment variable:

Toggle snippet (8 lines)
info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138: Can't write encryption related properties com.sun.star.uno.RuntimeException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274: Rethrow com.sun.star.io.IOException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243 at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"

So it seems to cause an error, which is apparently ignored.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 05:32
(address . 59292@debbugs.gnu.org)
87zg9bpp9h.fsf@gmail.com
Hi again,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

[...]

Toggle quote (21 lines)
> It never resolves libnssckbi.so.
>
> LibreOffice attempts to load this library in
> xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
> 'nsscrypto_initialize' procedure.
>
> The library appears to be dynamically loaded via SECMOD_LoadUserModule.
> Perhaps we can patch 'OUString rootModule("libnssckbi"
> SAL_DLLEXTENSION)' to its full name. Some more output, after building
> libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
> environment variable:
>
> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
> info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
> warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
> warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138: Can't write encryption related properties com.sun.star.uno.RuntimeException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
> info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274: Rethrow com.sun.star.io.IOException message: "No expected key is provided! at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243 at /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"
>
> So it seems to cause an error, which is apparently ignored.

I confirm this is the problem. A workaround is to augment
LD_LIBRARY_PATH, e.g.:

Toggle snippet (3 lines)
"LD_LIBRARY_PATH=/gnu/store/...-nss-3.81/lib/nss:$LD_LIBRARY_PATH /gnu/store/...-libreoffice-7.5.0.3/bin/libreoffice --calc"

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote on 18 Feb 2023 21:00
(address . 59292-done@debbugs.gnu.org)
87zg9aoibi.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (41 lines)
> Hi again,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>
> [...]
>
>> It never resolves libnssckbi.so.
>>
>> LibreOffice attempts to load this library in
>> xmlsecurity/source/xmlsec/nss/nssinitializer.cxx, in the
>> 'nsscrypto_initialize' procedure.
>>
>> The library appears to be dynamically loaded via SECMOD_LoadUserModule.
>> Perhaps we can patch 'OUString rootModule("libnssckbi"
>> SAL_DLLEXTENSION)' to its full name. Some more output, after building
>> libreoffice with "--enable-sal-log" and setting the 'SAL_LOG=+INFO'
>> environment variable:
>>
>> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:857: expandMacros called with: libnssckbi.so
>> info:sal.bootstrap:8927:8927:sal/rtl/bootstrap.cxx:985: expandMacros result: libnssckbi.so
>> info:xmlsecurity.xmlsec:8927:8927:xmlsecurity/source/xmlsec/nss/nssinitializer.cxx:471: FAILED to load the new root certificate module Root Certs for OpenOffice.orgcontained in libnssckbi.so
>> warn:legacy.osl:8927:8927:comphelper/source/misc/storagehelper.cxx:406: Can not create SHA256 digest!
>> warn:package.xstor:8927:8927:package/source/xstor/owriteablestream.cxx:1138:
>> Can't write encryption related properties
>> com.sun.star.uno.RuntimeException message: "No expected key is
>> provided! at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243"
>> info:package.xstor:8927:8927:package/source/xstor/xstorage.cxx:2274:
>> Rethrow com.sun.star.io.IOException message: "No expected key is
>> provided! at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/zippackage/ZipPackageStream.cxx:243
>> at
>> /tmp/guix-build-libreoffice-7.5.0.3.drv-0/libreoffice-7.5.0.3/package/source/xstor/owriteablestream.cxx:1140"
>>
>> So it seems to cause an error, which is apparently ignored.
>
> I confirm this is the problem. A workaround is to augment
> LD_LIBRARY_PATH, e.g.:
>
> "LD_LIBRARY_PATH=/gnu/store/...-nss-3.81/lib/nss:$LD_LIBRARY_PATH /gnu/store/...-libreoffice-7.5.0.3/bin/libreoffice --calc"

I've reported the problem upstream [0], and push a fix for our package
with 9f21ca83a89a5e6c808b58fab0dc54b7785c26b7 ("gnu: libreoffice: Fix
password encryption issue.").

Closing!


--
Thanks,
Maxim
Closed
?