CVE-2022-26307: add Initialization Vectors to password storage
LibreOffice supports the storage of passwords for web connections in
the user’s configuration database. The stored passwords are encrypted
with a single master key provided by the user. A flaw in LibreOffice
existed where master key was poorly encoded resulting in weakening its
entropy from 128 to 43 bits making the stored passwords vulerable to a
brute force attack if an attacker has access to the users stored
config.
old ones default to the current all zero case and continue to work
as before
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131974
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit
192fa1e3bfc6269f2ebb91716471485a56074aea)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132306
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
(cherry picked from commit
ab77587ec300f5c30084471000663c46ddf25dad)
(cherry picked from commit
713296ecd30bab02d41fcd23f19afed28d916701)
Change-Id: I6fe3b02fafcce1b5e7133e77e76a5118177d77af
origin: https://github.com/LibreOffice/core/commit/
55d3095f14e98e5d2aadddf392911ca2d2b6dca9.patch
bug: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2022-26307
Gbp-Pq: Name 0070-CVE-2022-26307-add-Initialization-Vectors-to-passwor.patch
projects / libreoffice.git / commit