Launchpad has imported 3 comments from the remote bug at https://bugs.documentfoundation.org/show_bug.cgi?id=119811.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2018-09-11T16:47:58+00:00 Libreoffice-a wrote: Description: When opening a docx,xlsx,pptx file, LibreOffice tries to access my Firefox's certificate store and keychain (as reported by default AppArmor rules provided by Canonical on Ubuntu 18.04) Said files has no digital signature to check, if it were the case, it would be required to use system's certificate store and/or seahorse's certificate store. Affected versions are 6.0.3 provided by Canonical and 6.0.6 provided by document foundation launchpad PPA. There are no visible reasons for LibreOffice to try to read anything from Firefox. Here are the logs produced by AppArmor when opening such files : home/Magissia/.mozilla/firefox/mwad0hks.default/cert8.db" pid=19509 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 11 18:25:31 Marshmallow kernel: [18154.693846] audit: type=1400 audit(1536683131.498:70): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/Magissia/.mozilla/firefox/mwad0hks.default/key3.db" pid=19509 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Sep 11 18:25:40 Marshmallow kernel: [18163.215743] audit: type=1400 audit(1536683140.018:71): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/version" pid=19509 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Steps to Reproduce: 1. Open any docx file created with Microsoft Word 2013 or superior 2. Enjoy invasion of privacy Actual Results: LibreOffice tries to read private files that has nothing to do with the document or LibreOffice Expected Results: Not reading Firefox's files when opening documents Reproducible: Always User Profile Reset: Yes OpenGL enabled: Yes Additional Info: Version: 6.0.6.2 Build ID: 1:6.0.6-0ubuntu0.18.04.1 Threads CPU : 2; OS : Linux 4.15; UI Render : par défaut; VCL: gtk3; Locale : fr-FR (fr_FR.UTF-8); Calc: group Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/0 ------------------------------------------------------------------------ On 2018-09-12T10:28:32+00:00 Thb-b wrote: *** This bug has been marked as a duplicate of bug 118593 *** Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/1 ------------------------------------------------------------------------ On 2020-02-10T16:58:52+00:00 Olivier Tilloy wrote: I'm removing the duplicate status: bug 118593 is about loading xmlsecurity at startup even when not needed, whereas this one is a concern about what xmlsecurity does to access firefox's certificates DB. I'm not a security expert but this looks like a valid concern to me, especially since libreoffice requests write mode to cert8.db and key3.db. Is this really needed? Is there a design doc that explains why? Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/4 ** Changed in: df-libreoffice Status: Unknown => Confirmed ** Changed in: df-libreoffice Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
