2137844 – (CVE-2020-12801) CVE-2020-12801 libreoffice: crash recovered MSOffice encrypted documents defaulted to not to using encryption on next save

Bug 2137844 (CVE-2020-12801) - CVE-2020-12801 libreoffice: crash recovered MSOffice encrypted documents defaulted to not to using encryption on next save

Summary: CVE-2020-12801 libreoffice: crash recovered MSOffice encrypted documents defa...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-12801
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2137646
TreeView+	depends on / blocked

Reported:	2022-10-26 11:42 UTC by TEJ RATHI
Modified:	2022-12-02 15:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:	libreoffice 6.3.6, libreoffice 6.4.3
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in LibreOffice which exists due to an error when processing encrypted files in LibreOffice. If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. The vulnerability allows a local user to gain access to potentially sensitive information.
Clone Of:
Environment:
Last Closed:	2022-12-02 15:33:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2022-10-26 11:42:19 UTC

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.

References:
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html

Comment 2 Product Security DevOps Team 2022-12-02 15:33:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12801

Note You need to log in before you can comment on or make changes to this bug.