bug marked as a duplicate of a private bug is marked as public itself
Bug #354634 reported by
Jan Claeys
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
After reporting bug #354185 (usplash crash) and waiting some time, the apport retracing service came by and decided this was a duplicate of bug #350250, then it changed the bug from private to public. Now, bug #350250 is apparently marked private, so I can't view it, I suppose there is a possible security issue with this crash.
But isn't it a security problem then that the duplicate bugs are marked public?
A possible attacker can scan launchpad for all bugs that are marked as duplicates of private bugs, and analyse the public duplicates to determine if they can use them...
| affects: | launchpad → malone |
Revision history for this message
| Eleanor Berger (intellectronica) wrote | #1 |
| Changed in malone: | |
| status: | New → Won't Fix |
Revision history for this message
| Jan Claeys (janc) wrote | #2 |
Revision history for this message
| Karl Fogel (kfogel) wrote | #3 |
| visibility: | private → public |
To post a comment you must log in.
It is up to bug reporters and supervisors to make sure all the bugs that need to be private are so. Often the only reason to hide a bug is to hide some information that is found in the comments, for example.