https://bugs.freedesktop.org/show_bug.cgi?id=51819
--- Comment #51 from [email protected] --- @VolkerTwer @Matúš Kukan @Markus Mohrhard Thanks for taking time for this issue! It seems we are only a small step away from a working patch! Unfortunately I cannot create one, but I think sg like this would be necessary: Inside http://opengrok.libreoffice.org/xref/core/framework/source/services/autorecovery.cxx#implts_saveOneDoc OUString sPassword = lOldArgs.getUnpackedValueOrDefault(utl::MediaDescriptor::PROP_PASSWORD(), OUString()); if (!sPassword.isEmpty()) lNewArgs[utl::MediaDescriptor::PROP_PASSWORD()] <<= sPassword; + css::uno::Sequence< css::beans::NamedValue > aEncryptionData = getUnpackedValueOrDefault(utl::MediaDescriptor::PROP_ENCRYPTIONDATA(), css::uno::Sequence< css::beans::NamedValue >() ); + if (aEncryptionData.getLength() > 0) + lNewArgs[utl::MediaDescriptor::PROP_ENCRYPTIONDATA()] <<= aEncryptionData; So PROP_ENCRYPTIONDATA would be put into lNewArgs too, when needed. IMHO this issue in LibO was introduced this way: 1. m106 was merged, and LibO started to use PROP_ENCRYPTIONDATA. At that time the recovery was working without problems, but bug 37825 was introduced. 2. Bug 37825 was fixed with these commits: http://cgit.freedesktop.org/libreoffice/core/commit/?id=dd5f9610f5df4d6ac8062d7b94db0353f8c0fb72 http://cgit.freedesktop.org/libreoffice/core/commit/?id=cdfad2dbbf180d3c556964c7aa8e0bb3b299d5e3 (BTW SID_ENCRYPTIONDATA is cleared twice now due to the two different commits) The first commit introduced this issue, as now ENCRYPTIONDATA is cleared in PreDoSaveAs_Impl from the original document, and it is not put into the property set inside implts_saveOneDoc. So I think the solution could be to put this into the set too. @chtfn @Ryan Dunlop Hi, I just tried these versions, all of them seem to have the bug too (so it is in the 4.2 branch too): Version Date Bug? 4.1.4.2 2013-12-12 X 4.1.5.3 2014-02-07 X 4.2.0.4 2014-01-29 X 4.2.1.1 2014-02-14 X 4.2.2.1 2014-02-28 X (The backup file was always unencrypted and for the recovering no password was needed.) @mike.hall Hi, I already tried to inform the security team about this issue (although maybe not with the best methods), interestingly they did not find it important enough (perhaps Michael pulled some strings there too?), so it seems, that we must try to solve this issue on our own somehow... @Michael Meeks Sorry, but I would be really eager to know what _you_ personally did to solve this issue since you took notice of it (besides maybe playing down its importance, effectively blocking it inside the dev team and forcing your own personal lower standards of security on the whole user base)? -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
