Ubuntu
gnome-desktop3 package

GNOME creates thumbnails that leak encrypted data under default Ubuntu configuration

Bug #1695112 reported by Ben Roberts
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-desktop3 (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Tested on Ubuntu 16.04.2 LTS. Bug appears to be in libgnome-desktop-3-12 (3.18.2-1ubuntu1). Nautilus (1:3.18.4.is.3.14.3-0ubuntu5) used to confirm.

When a user does not have an encrypted home directory, the default Ubuntu installation offers an encrypted Private directory for each user using ecryptfs. The goal, I presume, is to give the user a place where they can protect data from being read directly off the disk.

This entire purpose is defeated, though, because GNOME caches thumbnails of files in Private. These can be detailed enough to reveal contents of the encrypted storage.

To reproduce:
1. Save an image or other thumbnail-able file directly to ~/Private. It could be porn, a naked selfie, ... I used the Ubuntu logo 64_logo.png from Launchpad.
2. Open Nautilus and browse to Private. Confirm that a thumbnail is shown for the image.
3. Find this file's checksum: echo -n 'file:///home/xxx/Private/64_logo.png' | md5sum
4. Confirm that ~/.caches/thumbnails/<size>/<checksum>.png exists and is a scaled-down image of the original file in Private, that has been written to disk outside of an encrypted location.

If this is not a bug, I don't understand why Ubuntu would provide an encrypted Private directory in the first place.

Ideally, this would be fixed by improving gnome_desktop_thumbnail_factory_can_thumbnail so it checks the GNOME Activity Journal configuration for excluded directories, and include ~/Private in that configuration by default. If eliminating thumbnails entirely impacts usability, it should be possible to make more extensive changes that either cache thumbnails in a location on the same filesystem (much like the hidden Trash directories and Windows' thumbnail handling) or create thumbnails without caching them to disk.

I noticed another security problem while investigating this. libgnome-desktop may also be leaking thumbnail data even if a user's entire home folder is encrypted, through the use of a temporary file here: https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/gnome-desktop3/vivid/view/head:/libgnome-desktop/gnome-desktop-thumbnail.c#L1369 If /tmp is not encrypted or mounted as tmpfs, there is a risk of encrypted data being discovered through forensic investigative methods on the disk. This is probably not the only way encrypted home directory data can leak out to /tmp though.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

Can I make this bug public so that it is visible by developers?

Thanks!

Revision history for this message
Ben Roberts (divestoclimb) wrote :

Sure, I just did it myself.

information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in gnome-desktop3 (Ubuntu):
status: New → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Changed in gnome-desktop3 (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.