Shutter

shutter lists private files in log

Bug #1905480 reported by Bartłomiej Żogała on 2020-11-24

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Shutter	Fix Released	Undecided	Michael Kogan

Bug Description

Below files are not of type png and message for each is put in log file

lis 24 17:18:02 xps13 shutter.desktop[9432]: Searching for files with pattern: (?^u:\$name_(\d\d\d)\.png)
lis 24 17:18:02 xps13 shutter.desktop[9432]: Searching for files with pattern: (?^u:.{1,}_(\d\d\d)\.png)
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi5563939230629492036.tmp
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi55217518014263756.tmp
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing adb.1000.log
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing 6IhR7T7dp9
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing vboxdrv-Module.symvers
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing nsemail.eml
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi12482024854655372856.tmp
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi17332033362848974205.tmp
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi14996305376424531539.tmp
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing temp-file-name13882544806446572942.png
lis 24 17:18:02 xps13 shutter.desktop[9432]: Comparing jffi18326075255254932900.tmp

From security perspective even if this is just filename such debug be default should be disabled unless user will get awareness about that.
Example data leak scenario would be if shutter files are saved in mount point encrypted on demand

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: shutter 0.94-1
ProcVersionSignature: Ubuntu 4.15.0-124.127-generic 4.15.18
Uname: Linux 4.15.0-124-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.9-0ubuntu7.20
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Wed Nov 25 00:06:22 2020
InstallationDate: Installed on 2015-05-08 (2027 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=pl_PL.UTF-8
SHELL=/bin/bash
SourcePackage: shutter
UpgradeStatus: Upgraded to bionic on 2018-08-26 (821 days ago)

Tags:

Revision history for this message

Bartłomiej Żogała (nusch) wrote on 2020-11-24:

Dependencies.txt Edit (12.8 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.2 KiB, text/plain; charset="utf-8")

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2020-11-26:

Hello Bartłomiej, can we set this bug report public so others may see it? I'm not sure if your filenames are things you'd like to keep private or not.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

tags:	added: community-security
Changed in shutter (Ubuntu):
status:	New → Confirmed

Revision history for this message

Bartłomiej Żogała (nusch) wrote on 2020-11-26: Re: [Bug 1905480] Re: shutter lists private files in log

Sure

czw., 26 lis 2020, 04:20 użytkownik Seth Arnold <email address hidden>
napisał:

> Hello Bartłomiej, can we set this bug report public so others may see
> it? I'm not sure if your filenames are things you'd like to keep private
> or not.
>
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. Since the package referred to in this bug is in universe or
> multiverse, it is community maintained. If you are able, I suggest
> coordinating with upstream and posting a debdiff for this issue. When a
> debdiff is available, members of the security team will review it and
> publish the package. See the following link for more information:
> https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
>
> Thanks
>
> ** Tags added: community-security
>
> ** Changed in: shutter (Ubuntu)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1905480
>
> Title:
> shutter lists private files in log
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/shutter/+bug/1905480/+subscriptions
>

Seth Arnold (seth-arnold) on 2020-12-01

information type:

Private Security → Public Security

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2021-01-30:

Reported upstrem: https://github.com/shutter-project/shutter/issues/303

Revision history for this message

Michael Kogan (michael-kogan) wrote on 2021-05-22:

Fixed in 0.96.

Changed in shutter (Ubuntu):
assignee:	nobody → Michael Kogan (michael-kogan)
status:	Confirmed → Fix Released
affects:	shutter (Ubuntu) → shutter