source package names are leaked from private PPAs

Bug #1574807 reported by Chris J Arges
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Colin Watson

Bug Description

Source package names have no security attached such that publishing them into a private PPA exposes that name to be targeted via other bugs. A method to check publications in the package picker is needed to ensure it can't pick packages that are only published in private PPAs.

Test case:
1) Create private PPA
2) Publish new source package with unique name : 'privatepackage'
3) File a bug with a completely unrelated public project
4) Pick a package and search for 'privatepackage'
Here we expect 'privatepackage' will not be visible. but currently it is.

Tags: qa-ok

Related branches

Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

My changes aren't quite working yet: the picker doesn't pick up the current value of the distribution drop-down, and Distribution:+filebug (at least) isn't using the new vocabulary yet. However, it's all behind a disabled feature flag, so this doesn't need to block deployments.

tags: added: qa-ok
removed: qa-needstesting
Changed in launchpad:
status: Fix Committed → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers