2012-01-19 01:57:31 |
Allison Karlitskaya |
bug |
|
|
added bug |
2012-05-31 21:11:11 |
davee |
bug |
|
|
added subscriber davee |
2013-01-11 11:02:52 |
Kevin Brubeck Unhammer |
bug |
|
|
added subscriber Kevin Brubeck Unhammer |
2016-11-24 15:40:06 |
Vej |
bug |
|
|
added subscriber Vej |
2016-11-24 15:40:47 |
Vej |
deja-dup: importance |
Undecided |
Critical |
|
2016-11-27 13:03:08 |
Vej |
deja-dup: status |
New |
Triaged |
|
2016-11-27 21:55:31 |
Launchpad Janitor |
branch linked |
|
lp:deja-dup |
|
2016-11-27 22:01:35 |
Michael Terry |
deja-dup: status |
Triaged |
Fix Committed |
|
2016-11-27 22:02:36 |
Michael Terry |
summary |
dejadup allows bad passphrase on full backup |
duplicity allows bad passphrase on full backup if archive cache exists |
|
2016-11-27 22:02:45 |
Michael Terry |
bug task added |
|
duplicity |
|
2016-11-27 22:17:32 |
Michael Terry |
deja-dup: status |
Fix Committed |
Fix Released |
|
2016-11-27 22:17:42 |
Michael Terry |
bug task added |
|
deja-dup (Ubuntu) |
|
2016-11-28 01:02:42 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-desktop/deja-dup/ubuntu |
|
2016-11-30 12:57:33 |
Launchpad Janitor |
deja-dup (Ubuntu): status |
New |
Fix Released |
|
2016-12-02 21:38:13 |
Michael Terry |
description |
when doing a backup for the first time, dejadup verifies your passphrase by having you enter it twice.
on future incremental backups it doesn't need to do this because entering the wrong password will result in the backup failing.
with the periodic 'full' backups that happen from time to time, however, any password will be accepted.
this can lead to a situation where you accidentally type the wrong password once and are left in a situation where you don't know what you typed and have no way to get your files (or do another incremental backup on top of it).
i think this is what happened to me recently.
clearly, the fix is to explicitly verify the passphrase is correct when doing a new full backup. this may be a duplicity bug. |
when doing a backup for the first time, dejadup verifies your passphrase by having you enter it twice.
on future incremental backups it doesn't need to do this because entering the wrong password will result in the backup failing.
with the periodic 'full' backups that happen from time to time, however, any password will be accepted.
this can lead to a situation where you accidentally type the wrong password once and are left in a situation where you don't know what you typed and have no way to get your files (or do another incremental backup on top of it).
i think this is what happened to me recently.
clearly, the fix is to explicitly verify the passphrase is correct when doing a new full backup. this may be a duplicity bug.
=== Ubuntu deja-dup SRU information ===
[impact]
Users may unwittingly re-set their backup password and not be able to restore their data.
[test case]
- $ deja-dup-preferences # set up a dummy backup
- $ deja-dup --backup # complete first encrypted full backup
- $ rename 's/\.2016/\.2000/' /path/to/test/backup/*
- $ rename 's/\.2016/\.2000/' ~/.cache/deja-dup/*/*
- $ deja-dup --backup # second backup, enter the wrong password
- $ deja-dup --restore # try to restore with original password
[regression potential]
Should be limited? The fix is to delete the duplicity cache files, which ought to be safe to delete. |
|
2016-12-02 21:38:25 |
Michael Terry |
nominated for series |
|
Ubuntu Xenial |
|
2016-12-02 21:38:25 |
Michael Terry |
bug task added |
|
deja-dup (Ubuntu Xenial) |
|
2016-12-02 21:40:15 |
Michael Terry |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-12-07 13:20:18 |
Brian Murray |
deja-dup (Ubuntu Xenial): status |
New |
Fix Committed |
|
2016-12-07 13:20:22 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2016-12-07 13:20:27 |
Brian Murray |
tags |
|
verification-needed |
|
2016-12-07 13:22:06 |
Brian Murray |
nominated for series |
|
Ubuntu Yakkety |
|
2016-12-07 13:22:06 |
Brian Murray |
bug task added |
|
deja-dup (Ubuntu Yakkety) |
|
2016-12-07 13:22:17 |
Brian Murray |
deja-dup (Ubuntu Yakkety): status |
New |
Triaged |
|
2016-12-08 15:08:40 |
Michael Terry |
nominated for series |
|
Ubuntu Precise |
|
2016-12-08 15:08:40 |
Michael Terry |
bug task added |
|
deja-dup (Ubuntu Precise) |
|
2016-12-08 15:08:40 |
Michael Terry |
nominated for series |
|
Ubuntu Trusty |
|
2016-12-08 15:08:40 |
Michael Terry |
bug task added |
|
deja-dup (Ubuntu Trusty) |
|
2016-12-08 15:19:34 |
Michael Terry |
tags |
verification-needed |
verification-needed-xenial |
|
2016-12-08 15:21:54 |
Michael Terry |
description |
when doing a backup for the first time, dejadup verifies your passphrase by having you enter it twice.
on future incremental backups it doesn't need to do this because entering the wrong password will result in the backup failing.
with the periodic 'full' backups that happen from time to time, however, any password will be accepted.
this can lead to a situation where you accidentally type the wrong password once and are left in a situation where you don't know what you typed and have no way to get your files (or do another incremental backup on top of it).
i think this is what happened to me recently.
clearly, the fix is to explicitly verify the passphrase is correct when doing a new full backup. this may be a duplicity bug.
=== Ubuntu deja-dup SRU information ===
[impact]
Users may unwittingly re-set their backup password and not be able to restore their data.
[test case]
- $ deja-dup-preferences # set up a dummy backup
- $ deja-dup --backup # complete first encrypted full backup
- $ rename 's/\.2016/\.2000/' /path/to/test/backup/*
- $ rename 's/\.2016/\.2000/' ~/.cache/deja-dup/*/*
- $ deja-dup --backup # second backup, enter the wrong password
- $ deja-dup --restore # try to restore with original password
[regression potential]
Should be limited? The fix is to delete the duplicity cache files, which ought to be safe to delete. |
when doing a backup for the first time, dejadup verifies your passphrase by having you enter it twice.
on future incremental backups it doesn't need to do this because entering the wrong password will result in the backup failing.
with the periodic 'full' backups that happen from time to time, however, any password will be accepted.
this can lead to a situation where you accidentally type the wrong password once and are left in a situation where you don't know what you typed and have no way to get your files (or do another incremental backup on top of it).
i think this is what happened to me recently.
clearly, the fix is to explicitly verify the passphrase is correct when doing a new full backup. this may be a duplicity bug.
=== Ubuntu deja-dup SRU information ===
[impact]
Users may unwittingly re-set their backup password and not be able to restore their data.
[test case]
- $ deja-dup-preferences # set up a dummy backup
- $ deja-dup --backup # complete first encrypted full backup
- $ rename 's/\.2016/\.2000/' /path/to/test/backup/*
- $ rename 's/\.2016/\.2000/' ~/.cache/deja-dup/*/*
- $ deja-dup --backup # second backup, enter the wrong password
- $ deja-dup --restore # try to restore with original password
[regression potential]
Should be limited? The fix is to delete the duplicity cache files, which ought to be safe to delete.
It's possible if a full backup is being resumed, we might delete the current progress. That is a better bug to have than this bug, though. A more complicated patch would need to be investigated to prevent that. |
|
2016-12-08 15:23:55 |
Michael Terry |
bug task deleted |
deja-dup (Ubuntu Precise) |
|
|
2016-12-09 10:52:52 |
Brian Murray |
deja-dup (Ubuntu Yakkety): status |
Triaged |
Fix Committed |
|
2016-12-09 10:53:01 |
Brian Murray |
tags |
verification-needed-xenial |
verification-needed verification-needed-xenial |
|
2016-12-09 10:54:03 |
Brian Murray |
deja-dup (Ubuntu Trusty): status |
New |
Fix Committed |
|
2016-12-09 16:08:46 |
Michael Terry |
tags |
verification-needed verification-needed-xenial |
verification-done-trusty verification-needed |
|
2016-12-09 18:42:04 |
Michael Terry |
tags |
verification-done-trusty verification-needed |
verification-done-trusty verification-done-xenial verification-needed |
|
2016-12-09 19:00:27 |
Michael Terry |
tags |
verification-done-trusty verification-done-xenial verification-needed |
verification-done-trusty verification-done-xenial verification-done-yakkety |
|
2016-12-14 14:24:41 |
Launchpad Janitor |
deja-dup (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2016-12-14 14:24:45 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2016-12-14 14:24:52 |
Launchpad Janitor |
deja-dup (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2016-12-14 14:25:00 |
Launchpad Janitor |
deja-dup (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-03-06 21:02:09 |
Vej |
bug task added |
|
duplicity (Ubuntu) |
|
2017-08-22 13:14:59 |
Launchpad Janitor |
duplicity (Ubuntu): status |
New |
Confirmed |
|
2017-08-22 13:14:59 |
Launchpad Janitor |
duplicity (Ubuntu Trusty): status |
New |
Confirmed |
|
2017-08-22 13:14:59 |
Launchpad Janitor |
duplicity (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-08-22 13:14:59 |
Launchpad Janitor |
duplicity (Ubuntu Yakkety): status |
New |
Confirmed |
|
2017-10-05 11:58:58 |
Adrian H |
bug |
|
|
added subscriber Andreas H |
2018-03-03 09:39:18 |
suside |
bug |
|
|
added subscriber suside |
2018-12-07 17:20:09 |
Alessander Botti Benevides |
bug |
|
|
added subscriber Alessander Botti Benevides |
2019-04-07 14:06:58 |
Michael Terry |
attachment added |
|
repro.sh https://bugs.launchpad.net/duplicity/+bug/918489/+attachment/5253715/+files/repro.sh |
|
2019-04-07 14:08:33 |
Michael Terry |
summary |
duplicity allows bad passphrase on full backup if archive cache exists |
duplicity allows a new, different passphrase if an archive cache exists |
|
2019-04-07 14:39:22 |
Vej |
duplicity: status |
New |
Confirmed |
|
2019-04-07 14:44:19 |
Vej |
duplicity (Ubuntu): importance |
Undecided |
High |
|
2019-04-07 14:46:14 |
Vej |
duplicity (Ubuntu): status |
Confirmed |
Triaged |
|
2019-08-11 01:51:04 |
Andreas |
bug |
|
|
added subscriber Andreas |
2021-04-01 18:56:50 |
Kenneth Loafman |
duplicity: status |
Confirmed |
Fix Released |
|
2021-10-31 00:45:44 |
Michael Terry |
nominated for series |
|
Ubuntu Bionic |
|
2021-10-31 00:45:44 |
Michael Terry |
bug task added |
|
duplicity (Ubuntu Bionic) |
|
2021-10-31 00:45:44 |
Michael Terry |
bug task added |
|
deja-dup (Ubuntu Bionic) |
|
2021-11-12 09:54:54 |
Sebastien Bacher |
duplicity (Ubuntu Yakkety): status |
Confirmed |
Won't Fix |
|
2021-11-12 09:59:49 |
Sebastien Bacher |
duplicity (Ubuntu): status |
Triaged |
Fix Released |
|
2021-11-12 10:00:02 |
Sebastien Bacher |
deja-dup (Ubuntu Bionic): importance |
Undecided |
High |
|
2021-11-12 10:00:02 |
Sebastien Bacher |
deja-dup (Ubuntu Bionic): status |
New |
Triaged |
|
2021-11-12 10:02:21 |
Sebastien Bacher |
duplicity (Ubuntu Trusty): status |
Confirmed |
Won't Fix |
|
2021-11-12 10:02:34 |
Sebastien Bacher |
duplicity (Ubuntu Xenial): status |
Confirmed |
Won't Fix |
|
2021-11-12 10:02:51 |
Sebastien Bacher |
duplicity (Ubuntu Bionic): status |
New |
Won't Fix |
|
2021-11-30 15:19:25 |
Sebastien Bacher |
deja-dup (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2021-12-01 15:25:14 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-12-01 15:25:22 |
Robie Basak |
tags |
verification-done-trusty verification-done-xenial verification-done-yakkety |
verification-done-trusty verification-done-xenial verification-done-yakkety verification-needed verification-needed-bionic |
|
2021-12-02 00:26:51 |
Michael Terry |
tags |
verification-done-trusty verification-done-xenial verification-done-yakkety verification-needed verification-needed-bionic |
verification-done-bionic verification-done-trusty verification-done-xenial verification-done-yakkety |
|
2021-12-08 17:15:25 |
Launchpad Janitor |
deja-dup (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|