apport attachment JournalErrors should only be included for crash reports which are private
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apport (Ubuntu) |
Fix Released
|
High
|
Brian Murray | ||
Xenial |
Fix Released
|
High
|
Brian Murray | ||
Artful |
Fix Released
|
High
|
Brian Murray |
Bug Description
[Impact]
apport includes an attachment called JournalErrors which includes warnings and errors in journalctl output. This can in rare circumstances include private information.
[Test Case]
1) Run ubuntu-bug apport
2) Observe JournalErrors attachment in the .crash file
With the version of apport from -proposed JournalErrors will only be included in crash reports not regular bug reports. So follow the same test case and ensure JournalErrors is not included then run:
1) d-feet
2) pkill -11 d-feet
3) Observe JournalErrors in the d-feet .crash file
[Regression Potential]
Its possible my code is bad and then apport would crash when collecting journal errors. However, apport will just carry on and not include that attachment which would still be an improvement as there wouldn't be any private information included.
See the bug report https:/
created with ubuntu-bug.
Original Description
-------
Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/
Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet.
Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information.
IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report.
Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?
Related branches
information type: | Private Security → Public Security |
affects: | evolution (Ubuntu) → apport (Ubuntu) |
tags: | added: xenial |
summary: |
- apport leaks environment variables (including passwords!) to bug - reports + apport is leaking environment variables (including passwords!) to + puplic bug reports |
summary: |
apport is leaking environment variables (including passwords!) to - puplic bug reports + public bug reports |
Changed in apport (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Brian Murray (brian-murray) |
importance: | Undecided → High |
tags: | added: id-5a5f96578e357fc4d5dba7cc |
Changed in apport (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in apport (Ubuntu Artful): | |
status: | New → Triaged |
Changed in apport (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in apport (Ubuntu Artful): | |
importance: | Undecided → High |
summary: |
- apport is leaking environment variables (including passwords!) to - public bug reports + apport attachment JounralErrors should only be included for crash + reports which are private |
description: | updated |
Changed in apport (Ubuntu Artful): | |
assignee: | nobody → Brian Murray (brian-murray) |
Changed in apport (Ubuntu Xenial): | |
assignee: | nobody → Brian Murray (brian-murray) |
summary: |
- apport attachment JounralErrors should only be included for crash + apport attachment JournalErrors should only be included for crash reports which are private |
Indeed you should assume these credentials have been acquired already and reset them as appropriate. Thank you for the report.