Command line automatically included in bug report, violating user's privacy

Bug #132800 reported by Till Ulen
22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
High
Martin Pitt

Bug Description

Binary package hint: apport

I used the "Help -> Report a problem" menu item in gedit to report bug #132788. The command line of my gedit process was automatically included in the bug report. The command line contained the pathname of a file that I clicked to open that particular instance of gedit earlier.

So the pathname of an unrelated file on my computer has been accidentally included in a public bug report. The pathname is hard to notice in the bug report text for a unsuspecting user, and no preview or warning about privacy issues were given. Moreover, the pathname cannot be easily removed from the bug report text: even after editing the bug description, the original report is still publicly available.

That behavior of the bug reporting system does not respect the reporter's privacy.

Making the bug visible to its subscribers only is a poor solution for this. It limits the access to the bug without any good technical reason. Even worse, it works only if the user has noticed her private filename visible to anyone in the first place.

A proper fix for this should show a preview of all the debugging information being submitted. The fix would allow the user to exclude any fields that can violate her privacy before submitting her bug report via the net.

I assigned this bug to apport to have my version details automatically included here. It might be as well fixed in Launchpad, but that has the shortcoming that private information has to be first transmitted to Launchpad before the user has a chance to mark it as private. So it would be still potentially disclosed to Launchpad maintainers, the guys who managed to secretly own Launchpad, and those who can eavesdrop SSL sessions using some 0day protocol flaws or whatever.

ProblemType: Bug
Architecture: i386
Date: Thu Aug 16 01:23:49 2007
DistroRelease: Ubuntu 7.04
Package: apport 0.76.1
PackageArchitecture: all
SourcePackage: apport
Uname: Linux chronos 2.6.20-16-generic #2 SMP Thu Jun 7 20:19:32 UTC 2007 i686 GNU/Linux

Revision history for this message
Till Ulen (tillulen) wrote :
Revision history for this message
Oumar Aziz OUATTARA (wattazoum) wrote :

I definitely agree .

<quote>
A proper fix for this should show a preview of all the debugging information being submitted. The fix would allow the user to exclude any fields that can violate her privacy before submitting her bug report via the net.
</quote>

well, showing to an common end user, all debugging information can be really scary. But we need to analyze and to distinguish type of informations that could touch to the user privacy , then ALWAYS ask him if he wanted to modify the informations (concealing them for instance) but he needs to be aware that in some case the exact information is mandatory to investigate.
But we shouldn't allow complete removal of the information (just modification).

in some case , private informations are embedded in the stack Trace. Those cases are really difficult to address.

NOTE [for QA] : this bug importance should be set to High or Serious as privacy is a really important subject for Users

Changed in apport:
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

Right, for bug reports we should not have the command line. It is highly important for triaging crash reports, but for those the user can display the report and chose not to send it to us (and is warned that it might contain private information).

Changed in apport:
importance: Undecided → Medium
status: Confirmed → Triaged
importance: Medium → High
status: Triaged → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in bzr head.

Changed in apport:
status: In Progress → Fix Committed
assignee: nobody → pitti
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 0.102

---------------
apport (0.102) hardy; urgency=low

  [ Martin Pitt ]
  * problem_report.py: Support reading reports with legacy zlib
    compression in 'retain compressed values' mode (as used nowadays by
    apport when reporting a crash). Add a test case, too. (LP: #129616)
  * debian/control, debian/rules: Switch from python-support to
    python-central, and use 'nomove' option so that apport works during
    upgrades, too. (LP: #121341)
  * debian/rules: Use dh_icons instead of dh_iconcache.
  * debian/apport.init: Do not stop apport in any runlevel (LSB header).
  * apport/ui.py, run_crash(): Catch zlib.error on invalidly compressed core
    dumps. (LP: #176977)
  * apport/ui.py: Give a meaningful error message instead of crashing if the
    package for a crash report is not installed any more. (LP: #149739)
  * apport/ui.py: Do not include ProcCmdline in bug reports, since these are
    not ack'ed by the user and might contain sensitive data. (LP: #132800)
  * apport/ui.py: Add various test cases for crash reports whose packages have
    been uninstalled between the crash and the report. This reproduces
    LP #186684.
  * apport/ui.py, load_report(): Produce proper error message if
    executable/interpreter path do not exist any more. (LP: #186684)
  * cli/apport-cli: Intercept SIGPIPE when calling sensible-pager, to avoid
    crash when quitting it prematurely. (LP: #153872)
  * bin/apport-checkreports: Print out a list of program names/packages which
    have a pending crash report. (LP: #145117)
  * apport/ui.py, run_argv(): Add return code which indicates whether any
    report has been processed.
  * cli/apport-cli: If no pending crash reports are present, say so and refer
    to --help. (LP: #182985)
  * apport/ui.py: Waive check for obsolete packages if environment defines
    $APPORT_IGNORE_OBSOLETE_PACKAGES. Document this in the apport-cli manpage.
    (LP: #148064)

  [ Daniel Hahler ]
  * .crash file integration for KDE3 (LP: #177055)
    - debian/apport-qt.install: install added files qt4/apport-qt-mime.desktop
      and qt4/apport-qt-mimelnk.desktop
  * Fixed minor warnings/errors from desktop-file-validate in
    gtk/apport-gtk-mime.desktop.in and qt4/apport-qt.desktop.in (LP: #146957)

 -- Martin Pitt <email address hidden> Wed, 06 Feb 2008 12:55:53 +0100

Changed in apport:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers