2013-07-02 17:24:38 |
Jamie Strandboge |
bug |
|
|
added bug |
2013-07-02 17:24:49 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
2013-07-02 17:33:55 |
Jamie Strandboge |
tags |
|
application-confinement |
|
2013-07-02 17:34:16 |
Jamie Strandboge |
summary |
SDK webview applications should not use ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/ for its databases |
SDK webview applications should not use ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/ for their databases |
|
2013-07-02 17:34:31 |
Jamie Strandboge |
description |
Ubuntu SDK applications that use webkit webviews store webkit cache data in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>'). |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>'). |
|
2013-07-09 08:02:42 |
Juhapekka Piiroinen |
ubuntu-qtcreator-plugins: assignee |
|
Timo Jyrinki (timo-jyrinki) |
|
2013-07-22 18:35:59 |
Alberto Mardegan |
bug |
|
|
added subscriber Alberto Mardegan |
2013-07-31 10:13:08 |
Juhapekka Piiroinen |
affects |
ubuntu-qtcreator-plugins |
ubuntu-ui-toolkit |
|
2013-07-31 18:43:51 |
Jamie Strandboge |
description |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>'). |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>'). |
|
2013-08-01 06:30:24 |
Timo Jyrinki |
bug task added |
|
qtdeclarative-opensource-src (Ubuntu) |
|
2013-08-15 23:09:22 |
Jamie Strandboge |
ubuntu-ui-toolkit: assignee |
Timo Jyrinki (timo-jyrinki) |
|
|
2013-08-15 23:09:29 |
Jamie Strandboge |
qtdeclarative-opensource-src (Ubuntu): assignee |
|
Christian Dywan (kalikiana) |
|
2013-08-23 18:46:35 |
Jamie Strandboge |
bug task added |
|
cordova-ubuntu |
|
2013-08-23 18:47:00 |
Jamie Strandboge |
summary |
SDK webview applications should not use ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/ for their databases |
SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases |
|
2013-08-23 18:48:20 |
Jamie Strandboge |
description |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>'). |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/LocalStorage/" r, |
|
2013-08-23 18:52:11 |
Pat McGowan |
cordova-ubuntu: importance |
Undecided |
High |
|
2013-08-23 18:52:11 |
Pat McGowan |
cordova-ubuntu: assignee |
|
Alexandre Abreu (abreu-alexandre) |
|
2013-08-23 18:53:24 |
Pat McGowan |
cordova-ubuntu: assignee |
Alexandre Abreu (abreu-alexandre) |
Maxim Ermilov (zaspire) |
|
2013-08-23 19:36:23 |
Jamie Strandboge |
description |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/LocalStorage/" r, |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/" r,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk, |
|
2013-09-04 03:27:06 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Saucy |
|
2013-09-04 03:27:06 |
Jamie Strandboge |
bug task added |
|
qtdeclarative-opensource-src (Ubuntu Saucy) |
|
2013-09-04 03:27:06 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu Saucy) |
|
2013-09-04 03:27:14 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
New |
Triaged |
|
2013-09-04 11:18:05 |
Jamie Strandboge |
qtdeclarative-opensource-src (Ubuntu Saucy): importance |
Undecided |
High |
|
2013-09-16 15:18:55 |
Jamie Strandboge |
description |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically: somewhere in $XDG_DATA_HOME/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/" r,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk, |
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db
This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically webbrowser-app should be adjusted to use $XDG_DATA_HOME/<app_pkgname> for webapps, where '<app_pkgname>' is the "name" field in the Click manifest (see bug #1197037 for details).
The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/" r,
owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk, |
|
2013-09-16 16:00:58 |
Pat McGowan |
bug |
|
|
added subscriber Pat McGowan |
2013-09-17 09:20:49 |
Alan Pope 🍺🐧🐱 🦄 |
bug |
|
|
added subscriber Alan Pope ㋛ |
2013-09-17 11:03:28 |
Cris Dywan |
branch linked |
|
lp:~kalikiana/ubuntu-ui-toolkit/appname |
|
2013-09-23 18:42:36 |
PS Jenkins bot |
ubuntu-ui-toolkit: status |
New |
Fix Committed |
|
2013-09-25 10:20:49 |
Launchpad Janitor |
ubuntu-ui-toolkit (Ubuntu Saucy): status |
New |
Fix Released |
|
2013-09-26 18:29:48 |
Florian Boucault |
ubuntu-ui-toolkit: status |
Fix Committed |
Fix Released |
|
2013-09-26 21:35:55 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
Triaged |
In Progress |
|
2013-09-26 21:35:59 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): importance |
Undecided |
High |
|
2013-09-26 21:36:01 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): assignee |
|
Jamie Strandboge (jdstrand) |
|
2013-09-26 21:36:36 |
Jamie Strandboge |
qtdeclarative-opensource-src (Ubuntu Saucy): status |
New |
Won't Fix |
|
2013-10-08 00:03:34 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu |
|
2013-10-08 00:29:47 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
In Progress |
Fix Released |
|
2013-10-11 17:36:44 |
Jamie Strandboge |
bug task deleted |
qtdeclarative-opensource-src (Ubuntu) |
|
|
2013-10-11 17:37:02 |
Jamie Strandboge |
bug task deleted |
qtdeclarative-opensource-src (Ubuntu Saucy) |
|
|
2013-10-25 16:01:29 |
Jamie Strandboge |
bug task added |
|
cordova-ubuntu (Ubuntu) |
|
2013-10-25 16:01:47 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Trusty |
|
2013-10-25 16:01:47 |
Jamie Strandboge |
bug task added |
|
ubuntu-ui-toolkit (Ubuntu Trusty) |
|
2013-10-25 16:01:47 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu Trusty) |
|
2013-10-25 16:01:47 |
Jamie Strandboge |
bug task added |
|
cordova-ubuntu (Ubuntu Trusty) |
|
2013-10-25 20:46:15 |
Jamie Strandboge |
cordova-ubuntu (Ubuntu Trusty): importance |
Undecided |
High |
|
2013-10-25 20:46:15 |
Jamie Strandboge |
cordova-ubuntu (Ubuntu Trusty): status |
New |
Confirmed |
|
2013-10-25 20:47:25 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Trusty): status |
Fix Released |
Triaged |
|
2013-10-25 21:15:51 |
Jamie Strandboge |
summary |
SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases |
SDK and cordova webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases |
|
2013-10-25 21:16:07 |
Jamie Strandboge |
cordova-ubuntu: status |
New |
Confirmed |
|
2014-01-31 15:35:09 |
Alexandre Abreu |
bug task added |
|
ubuntu-html5-theme |
|
2014-01-31 15:35:37 |
Alexandre Abreu |
branch linked |
|
lp:~abreu-alexandre/ubuntu-html5-theme/fix-applicationname |
|
2014-01-31 16:23:41 |
PS Jenkins bot |
ubuntu-html5-theme: status |
New |
Fix Committed |
|
2014-02-01 01:37:19 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/ubuntu-html5-theme |
|
2014-02-03 18:10:04 |
Launchpad Janitor |
ubuntu-html5-theme (Ubuntu Trusty): status |
New |
Fix Released |
|
2014-02-03 22:20:24 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Trusty): status |
Triaged |
In Progress |
|
2014-02-05 22:44:24 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/apparmor-easyprof-ubuntu |
|
2014-02-05 23:32:48 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
2014-03-30 23:43:48 |
Adnane Belmadiaf |
ubuntu-html5-theme: status |
Fix Committed |
Fix Released |
|
2014-04-25 09:08:05 |
Maxim Ermilov |
cordova-ubuntu: status |
Confirmed |
Fix Released |
|
2014-10-08 16:28:17 |
Jamie Strandboge |
cordova-ubuntu (Ubuntu Trusty): status |
Confirmed |
Won't Fix |
|
2015-01-13 17:22:37 |
Jamie Strandboge |
cordova-ubuntu (Ubuntu): status |
Confirmed |
Fix Released |
|