[libreoffice-users] FYI: LO's security system is compromised, please be careful

Sayt Bahal <sayt.bahal -AT- gmail.com>

Wed, 29 Jan 2014 15:38:51 +0100

It turned out that LibreOffice has a security-related issue ( https://bugs.freedesktop.org/show_bug.cgi?id=51819), that makes it save the AutoRecovery files for password-protected documents without any protection (encryption). It essentially means, that with AutoRecovery enabled (which is the default): - after an application or system crash (eg. a power failure) anybody can recover the document without knowing the password (the document 'loses' its password) - anybody who has access to the system drive (eg. through the network) while you are editing a document can open it without knowing the password - anybody who has physical access to your system hard drive, now or in the future (at worst even months/years after the actual editing), has the chance to unerase the document and open it without knowing the password If you use password-protection a lot and are concerned about the security of your documents, it could be advisable to switch the AutoRecovery feature off until the bug gets fixed. The issue applies to all LibreOffice modules (Writer, Calc, Draw, ...) and was introduced in version 3.4.6 (March 2012). ------------------ For developers only: It also turned out, that (a bit surprisingly) the lead developers have other priorities than fixing such security issues, and are waiting (since May 2013) for the community to step in. If you have the necessary knowledge and free time to track down and potentially to fix this issue, please do not hesitate to take a look into it and help in maintaining the security standard that millions of users worldwide impose on such professional products as LibreOffice. Thank you! -- To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.