63953 – Security : Fortify Privacy Violation

Bug 63953 - Security : Fortify Privacy Violation

Summary: Security : Fortify Privacy Violation

Status:	RESOLVED INVALID

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POI Overall (show other bugs)
Version:	4.1.1-FINAL
Hardware:	PC All

Importance:	P2 critical (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-11-22 13:54 UTC by Sreekanth Basani
Modified:	2019-11-22 14:07 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sreekanth Basani 2019-11-22 13:54:16 UTC

Fortify Report on POI source code identifies the following vulnerability:

Category: Privacy Violation (Security Features, Data Flow)

Description: The method write() in XOREncryptionVerifier.java mishandles confidential information, which can compromise user privacy and is often illegal.

    @Override
    public void write(LittleEndianByteArrayOutputStream bos) {
        bos.write(getEncryptedKey());
        bos.write(getEncryptedVerifier());
    }

Comment 1 Andreas Beeker 2019-11-22 14:07:08 UTC

Reading/writing the encrypted key / verifier is in the spec, i.e. it's part of the file format.

see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/06494548-8c5c-4697-bce1-e2a9fe1c4de4