[Bug 63953] New: Security : Fortify Privacy Violation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63953] New: Security : Fortify Privacy Violation

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63953

            Bug ID: 63953
           Summary: Security : Fortify Privacy Violation
           Product: POI
           Version: 4.1.1-FINAL
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: POI Overall
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Fortify Report on POI source code identifies the following vulnerability:

Category: Privacy Violation (Security Features, Data Flow)

Description: The method write() in XOREncryptionVerifier.java mishandles
confidential information, which can compromise user privacy and is often
illegal.

    @Override
    public void write(LittleEndianByteArrayOutputStream bos) {
        bos.write(getEncryptedKey());
        bos.write(getEncryptedVerifier());
    }

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63953] Security : Fortify Privacy Violation

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63953

Andreas Beeker <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
                 OS|                            |All
             Status|NEW                         |RESOLVED

--- Comment #1 from Andreas Beeker <[hidden email]> ---
Reading/writing the encrypted key / verifier is in the spec, i.e. it's part of
the file format.

see
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/06494548-8c5c-4697-bce1-e2a9fe1c4de4

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]