incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 121141] New: Document Properties Security Tab Misnamed
Date Sun, 30 Sep 2012 18:59:37 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=121141

          Priority: P3
            Bug ID: 121141
                CC: ooo-issues@incubator.apache.org
          Assignee: issues@security.openoffice.org
           Summary: Document Properties Security Tab Misnamed
          Severity: normal
        Issue Type: DEFECT
    Classification: Code
                OS: All
          Reporter: orcmid@apache.org
          Hardware: All
            Status: CONFIRMED
           Version: AOO 3.4.1
         Component: www
           Product: security

Created attachment 79694
  --> https://issues.apache.org/ooo/attachment.cgi?id=79694&action=edit
This is the File | Properties dialog of AOOi 3.4.1 Writer, showing the
"Security" tab options.

In AOOi 3.4.1 Writer, the File | Properties dialog has a tab named "Security." 
The tab does not provide Security functionality.  It provides Protection
functionality with regard to having the document be kept read-only and to have
change-tracking locked using special protection attributes in the ODF settings
information.

These are not security functions.  It is dangerous to identify them as anything
that protection measures.   

 1. The protections are trivial to defeat, without ever knowing the password.
 2. It is possible to use the protection hash to forge the protections on
altered documents and on other documents.
 3. Because the has of the protection password is in "plain sight" in the
document, the password is subject to attack, discovery, and compromise.

For more about the exposure of protection settings to various compromises, see
https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Mime
View raw message