<html>
    <head>
      <base href="https://bugs.documentfoundation.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_UNCONFIRMED "
   title="UNCONFIRMED - LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents"
   href="https://bugs.documentfoundation.org/show_bug.cgi?id=119811">119811</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>LibreOffice
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>6.0.6.2 release
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux (All)
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>UNCONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>LibreOffice
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>libreoffice-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>libreoffice@magissia.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Description:
When opening a docx,xlsx,pptx file, LibreOffice tries to access my Firefox's
certificate store and keychain (as reported by default AppArmor rules provided
by Canonical on Ubuntu 18.04)
Said files has no digital signature to check, if it were the case, it would be
required to use system's certificate store and/or seahorse's certificate store.

Affected versions are 6.0.3 provided by Canonical and 6.0.6 provided by
document foundation launchpad PPA.

There are no visible reasons for LibreOffice to try to read anything from
Firefox.

Here are the logs produced by AppArmor when opening such files :

home/Magissia/.mozilla/firefox/mwad0hks.default/cert8.db" pid=19509
comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 11 18:25:31 Marshmallow kernel: [18154.693846] audit: type=1400
audit(1536683131.498:70): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/Magissia/.mozilla/firefox/mwad0hks.default/key3.db" pid=19509
comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Sep 11 18:25:40 Marshmallow kernel: [18163.215743] audit: type=1400
audit(1536683140.018:71): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/proc/version" pid=19509 comm="soffice.bin"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Steps to Reproduce:
1. Open any docx file created with Microsoft Word 2013 or superior
2. Enjoy invasion of privacy

Actual Results:
LibreOffice tries to read private files that has nothing to do with the
document or LibreOffice

Expected Results:
Not reading Firefox's files when opening documents


Reproducible: Always


User Profile Reset: Yes


OpenGL enabled: Yes

Additional Info:
Version: 6.0.6.2
Build ID: 1:6.0.6-0ubuntu0.18.04.1
Threads CPU : 2; OS : Linux 4.15; UI Render : par défaut; VCL: gtk3; 
Locale : fr-FR (fr_FR.UTF-8); Calc: group</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>