Bug 63953 - Security : Fortify Privacy Violation
Summary: Security : Fortify Privacy Violation
Status: RESOLVED INVALID
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: 4.1.1-FINAL
Hardware: PC All
: P2 critical (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-22 13:54 UTC by Sreekanth Basani
Modified: 2019-11-22 14:07 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sreekanth Basani 2019-11-22 13:54:16 UTC
Fortify Report on POI source code identifies the following vulnerability:

Category: Privacy Violation (Security Features, Data Flow)

Description: The method write() in XOREncryptionVerifier.java mishandles confidential information, which can compromise user privacy and is often illegal.

    @Override
    public void write(LittleEndianByteArrayOutputStream bos) {
        bos.write(getEncryptedKey());
        bos.write(getEncryptedVerifier());
    }
Comment 1 Andreas Beeker 2019-11-22 14:07:08 UTC
Reading/writing the encrypted key / verifier is in the spec, i.e. it's part of the file format.

see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/06494548-8c5c-4697-bce1-e2a9fe1c4de4