[Libreoffice-bugs] [Bug 144555] New: Inadvertent security leakage path from encrypted LO docs via Add To Dictionary

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Thu Sep 16 18:54:22 UTC 2021 

https://bugs.documentfoundation.org/show_bug.cgi?id=144555

            Bug ID: 144555
           Summary: Inadvertent security leakage path from encrypted LO
                    docs via Add To Dictionary
           Product: LibreOffice
           Version: 7.2.0.4 release
          Hardware: All
                OS: Windows (All)
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: Writer
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: rdbingham at verizon.net

Version: 7.2.0.4 (x64) / LibreOffice Community
Build ID: 9a9c6381e3f7a62afc1329bd359cc48accb6435b
CPU threads: 8; OS: Windows 10.0 Build 19043; UI render: Skia/Raster; VCL: win
Locale: en-US (en_US); UI: en-US
Calc: threaded

Note: Likely applies to all LO major modules having word dictionary features on
all LO-supported OS platforms.

On Windows at least, LO keeps user-defined word dictionaries and user
incremental additions to LO standard dictionaries (such as standard.dic) in the
directory Users\<username>\AppData\Roaming\LibreOffice\4\user\wordbook as *.dic
plaintext files that are viewable/edititable with any *.txt capable tool.

>From within an open LO doc (tested with Writer) that is configured for default
LO encryption (not PGP, etc.) and requiring a password to open, adding a word
to a language dictionary such as by habitual right-click context menu on a red
squiggle alert in the doc text results in that entry appearing in plain text in
one of the un-encrypted plaintext *.dic files noted above.

https://help.libreoffice.org/7.2/en-US/text/shared/guide/protection.html?DbPAR=SHARED#bm_id3150620
on protecting docs (or portions thereof) with passwords and LO encryption has a
warning "Information entered in File - Properties is not encrypted. This
includes the name of the author, creation date, word and character counts." but
is silent regards Add To Dictionary actions resulting in un-protected data.

STEPS TO REPRODUCE:

1) In the appropriate user home sub-directory for the OS platform where LO
keeps user-specific app data infrastructure files, examine the user-specific
*.dic files (standard and user created). On Windows these are plaintext.

2) Create a Writer document (or other LO doc where word dictionary is a
feature) and configure it for default LO encryption then save it with a
password.  We declare the doc to be "encrypted".

2) Open the encrypted doc or just continue from step 2 after the encrypting
save.  Create a test word such as TestDictEncrypt.  Add that test word to a
standard or a user-created dictionary.

3) For completeness, close the encrypted doc.

4) Re-examine the *.dic files for the presence of the test word in plaintext.

5) If the test word is found plaintext, it has now leaked from the encrypted
context.

The security issue here is that adding a word to a dictionary, especially user
created dictionaries, is a habitual, muscle-memory action for users.  A user
could perform this action then immediately forget that they did.  The LO UI
does not by default add a work effort step to warn the user they are exporting
data plaintext from the encrypted context of an open encrypted doc.  Nor, via
Tools->Options->Security does the UI provide a way to prevent insecure Add to
Dictionary or enable a work effort warning if to be allowed.

Now, the same could be said for Copy to (system) Clipboard however I suggest
that action is somewhat more obvious in what it is doing whereas Add to
Dictionary is opaque in how it is implemented.

I suggest Help should be updated immediately concerning insecure Add to
Dictionary.  

I suggest until a secure Add to Dictionary function is in place (if ever) that
by default actions that export data from an open encrypted doc should have work
effort warnings managed via Tools->Options->Security.

I suggest that since each encrypted doc should be its own encryption security
pocket universe, then a model for dictionary management would extend the
exiting merge model (user additions to standard.dic are kept local but act as
merged with LO-system wide standard.dic to the user, user-created dictionaries
are just local only) to merge again with ".dic file" objects maintained as
additional meta-data within the encrypted portion of each encrypted doc file. 
The effect is that of doc-file specific dictionaries (or dictionary increments
for merge). Help would then need to be updated to explain this model.

Regards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20210916/3aa9685b/attachment.htm>

More information about the Libreoffice-bugs mailing list