source package names are leaked from private PPAs

Bug #1574807 reported by Chris J Arges on 2016-04-25
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Colin Watson

Bug Description

Source package names have no security attached such that publishing them into a private PPA exposes that name to be targeted via other bugs. A method to check publications in the package picker is needed to ensure it can't pick packages that are only published in private PPAs.

Test case:
1) Create private PPA
2) Publish new source package with unique name : 'privatepackage'
3) File a bug with a completely unrelated public project
4) Pick a package and search for 'privatepackage'
Here we expect 'privatepackage' will not be visible. but currently it is.

Related branches

Colin Watson (cjwatson) on 2016-06-09
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Colin Watson (cjwatson) on 2016-06-21
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2016-06-21
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) wrote :

My changes aren't quite working yet: the picker doesn't pick up the current value of the distribution drop-down, and Distribution:+filebug (at least) isn't using the new vocabulary yet. However, it's all behind a disabled feature flag, so this doesn't need to block deployments.

tags: added: qa-ok
removed: qa-needstesting
Changed in launchpad:
status: Fix Committed → In Progress
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2016-07-28
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2016-09-09
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2016-09-19
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2016-09-22
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2017-04-26
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers