apport is leaking environment variables (including passwords!) to public bug reports

Bug #1738581 reported by H.-Dirk Schmitt on 2017-12-16
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
High
Brian Murray

Bug Description

See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
created with ubuntu-bug.

Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting <email address hidden>

Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet.

Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information.

IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report.

Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?

information type: Private Security → Public Security
affects: evolution (Ubuntu) → apport (Ubuntu)
tags: added: xenial
summary: - apport leaks environment variables (including passwords!) to bug
- reports
+ apport is leaking environment variables (including passwords!) to
+ puplic bug reports
summary: apport is leaking environment variables (including passwords!) to
- puplic bug reports
+ public bug reports
Seth Arnold (seth-arnold) wrote :

Indeed you should assume these credentials have been acquired already and reset them as appropriate. Thank you for the report.

@seth-arnold - the credential is already replaced.

The issue is the problematic apport behaviour.

Another issue is that the report is now 3 days old and covering a serious information leak. But still nobody responsible „confirmed“ the bug or shown *any* activity :-/

Changed in apport (Ubuntu):
status: New → In Progress
assignee: nobody → Brian Murray (brian-murray)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.8-0ubuntu9

---------------
apport (2.20.8-0ubuntu9) bionic; urgency=medium

  * data/general-hooks/generic.py: change JournalErrors to contain errors not
    warnings. (LP: #1738581)

 -- Brian Murray <email address hidden> Mon, 12 Feb 2018 16:42:28 -0800

Changed in apport (Ubuntu):
status: In Progress → Fix Released
tags: added: id-5a5f96578e357fc4d5dba7cc
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers