Launchpad itself

Launchpad private security bug report trasmitted in open e-mail

Bug #1352625 reported by John Ross
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

This bug exists within Launchpad itself.

Earlier today I filed a bug report with security vulnerability option checked. (See https://bugs.launchpad.net/bugs/1352578)

By default security vulnerability issues are supposed to be kept private. A few minutes after filing the bug report, I received an e-mail confirmation. The confirmation was sent in an open / unencrypted e-mail! Fortunately, my bug report did NOT reveal a significant security vulnerability, otherwise it may have been possible for someone to intercept the e-mail and take advantage of whatever vulnerability was disclosed in the private bug report.

Note that I later converted my original bug report to public, but the e-mail I received was clearly marked private as shown by this snippet from the confirmation e-mail:

    *** This bug is a security vulnerability ***

    Private security bug reported:

I might suggest that suitable lanuchpad code (I have no idea what) be modified to prevent propagation of private security vulnerability bug reports via open / unencrypted e-mail. Security vulnerability bug reports marked private should remain within launchpad. If e-mail is to be used, it should be done only with appropriate individuals using suitable encryption methods.

Revision history for this message
John Ross (johnross-johnross) wrote :

I can confirm that I just received an e-mail confirmation of this very private security bug report minutes after it was filed.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hmm, it appears I can't change the project to Launchpad Itself. I wonder why...

information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

A note for the future: it is possible to report security issues to the Ubuntu security team privately via email to <email address hidden>. The corresponding GPG keyids can be found at the individual member pages linked from https://launchpad.net/~ubuntu-security/+members#active

Revision history for this message
John Ross (johnross-johnross) wrote :

Thanks for the advise. I too was unable to set project to Launchpad. I'm not usually involved in this kind of thing so I thought it was a user error on my part.

I sent a link to this bug to a friend. He was able to see the whole report and subscribe. It is yet unclear if that was possible before or after you set it to public status. Probably should test to be sure?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

When this was set to Private Security, only you and the Ubuntu security team, and select administrators, could see the issue. I marked it public because thousands of people have filed private security issues and received plain text emails; it's not a secret. (There's not much that is kept secret for long; once coredumps have been analyzed, they are deleted and the bug automatically made public.)

Thanks

Revision history for this message
John Ross (johnross-johnross) wrote :

I read through my friends e-mail again and it appears he accessed the report only 16 seconds after you switched it to public. Sorry for any confusion on that point.

I don't doubt that thousands of people have received plain text email on private security issues under the current system with no harm done. The question remains however whether it is the correct policy? Clearly in most cases it's no big deal, but someday there may well be a case where it is and that is why I filed the bug report.

Thanks again for your help!

Jamie Strandboge (jdstrand)
no longer affects: ubuntu
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.