Bug 724226 (CVE-2020-12801)

Summary:	<app-office/libreoffice-6.4.3.2: Encrypted document may be saved unencrypted if crash (CVE-2020-12801)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	office
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.libreoffice.org/about-us/security/advisories/cve-2020-12801/
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=655150
Whiteboard:	A4 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	716822
Bug Blocks:

Description Sam James archtester

2020-05-20 00:31:00 UTC

Description:
"If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3."

Comment 1 Sam James archtester

2020-05-20 00:32:41 UTC

Fixed for 6.4.2.x series: <app-office/libreoffice-6.4.2.1

@maintainer(s), will you be bumping to 6.3.6 which fixes this issue in that series, or is that obsolete now?

Comment 2 Andreas Sturmlechner gentoo-dev

2020-05-20 06:35:13 UTC

6.3 branch will be obsolete when 6.4.3.2 was stabilised.

Comment 3 Andreas Sturmlechner gentoo-dev

2020-05-31 21:13:36 UTC

Cleanup done in commit dc341079.

Comment 4 Sam James archtester

2020-05-31 21:17:30 UTC

(In reply to Andreas Sturmlechner from comment #3)
> Cleanup done in commit dc341079.

Thank you.