Ubuntu
zeitgeist package

security/privacy hole in zeitgeist

Bug #926652 reported by Franck Arnaud
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zeitgeist Framework
Fix Released
Low
Siegfried Gevatter
Zeitgeist Framework 0.9.0 "Bluebird"
zeitgeist (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

zeitgeist data files don't seem to use the write permissions by default:

user@machine:~/.local/share/zeitgeist$ ls -l
total 7244
-rw-r--r-- 1 user user 3776512 2012-02-03 23:47 activity.sqlite
-rw-rw-r-- 1 user user 1996800 2011-10-17 03:09 activity.sqlite.bck
-rw-r--r-- 1 user user 1623848 2012-02-03 23:47 activity.sqlite-journal

so that any user on the same machine (or with network access to the home drive), including the guest user, will be able to read the highly sensitive private information of everybody else and use it to blackmail the users, or whatever nasty things one could do with private information.

this could be fixed by having the right permissions or even better by making all the privacy-killing features of ubuntu opt in...

Tags: bot-comment
Franck Arnaud (franck-nenie)
visibility: private → public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/926652/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Fabio Marconi (fabiomarconi)
affects: ubuntu → zeitgeist (Ubuntu)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is now fixed in Precise by the following commit:

http://bazaar.launchpad.net/~zeitgeist/zeitgeist/bluebird/revision/370

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, it doesn't appear to be doing it, at least for me on Precise.

The whole ~/.local/share/zeitgeist directory should probably be 0600.

Changed in zeitgeist (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Siegfried Gevatter (rainct)
Changed in zeitgeist:
assignee: nobody → Siegfried Gevatter (rainct)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Whoops, the directory should be 0700, not 0600.

Siegfried Gevatter (rainct)
Changed in zeitgeist:
importance: Undecided → Low
status: New → Fix Committed
milestone: none → 0.9.0
Siegfried Gevatter (rainct)
Changed in zeitgeist:
status: Fix Committed → Fix Released
Siegfried Gevatter (rainct)
Changed in zeitgeist (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.