apport attachment JounralErrors should only be included for crash reports which are private

Bug #1738581 reported by H.-Dirk Schmitt on 2017-12-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
High
Brian Murray
Xenial
High
Brian Murray
Artful
High
Brian Murray

Bug Description

[Impact]
apport includes an attachment called JournalErrors which includes warnings and errors in journalctl output. This can in rare circumstances include private information.

[Test Case]
1) Run ubuntu-bug apport
2) Observe JournalErrors attachment in the .crash file

With the version of apport from -proposed JournalErrors will only be included in crash reports not regular bug reports. So follow the same test case and ensure JournalErrors is not included then run:

1) d-feet
2) pkill -11 d-feet
3) Observe JournalErrors in the d-feet .crash file

[Regression Potential]
Its possible my code is bad and then apport would crash when collecting journal errors. However, apport will just carry on and not include that attachment which would still be an improvement as there wouldn't be any private information included.

See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
created with ubuntu-bug.

Original Description
--------------------

Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting <email address hidden>

Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet.

Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information.

IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report.

Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?

information type: Private Security → Public Security
affects: evolution (Ubuntu) → apport (Ubuntu)
tags: added: xenial
summary: - apport leaks environment variables (including passwords!) to bug
- reports
+ apport is leaking environment variables (including passwords!) to
+ puplic bug reports
summary: apport is leaking environment variables (including passwords!) to
- puplic bug reports
+ public bug reports

Indeed you should assume these credentials have been acquired already and reset them as appropriate. Thank you for the report.

@seth-arnold - the credential is already replaced.

The issue is the problematic apport behaviour.

Another issue is that the report is now 3 days old and covering a serious information leak. But still nobody responsible „confirmed“ the bug or shown *any* activity :-/

Changed in apport (Ubuntu):
status: New → In Progress
assignee: nobody → Brian Murray (brian-murray)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.8-0ubuntu9

---------------
apport (2.20.8-0ubuntu9) bionic; urgency=medium

  * data/general-hooks/generic.py: change JournalErrors to contain errors not
    warnings. (LP: #1738581)

 -- Brian Murray <email address hidden> Mon, 12 Feb 2018 16:42:28 -0800

Changed in apport (Ubuntu):
status: In Progress → Fix Released
tags: added: id-5a5f96578e357fc4d5dba7cc
Sebastien Bacher (seb128) wrote :

The change there seems buggy to me, warnings are useful to us for debugging and usually don't contain private info (or are not more likely to contain info that errors logs).

One local example (xenial)

$ journalctl -b --priority=warning | grep -i org.freedesktop.Notifications

mars 15 16:10:03 ubuntudbg org.freedesktop.Notifications[3074]: **
(notify-osd:3450): WARNING **: stack_close_notification_handler():
notification id == 0, likely wrong

$ journalctl -b --priority=err | grep -i org.freedesktop.Notifications
$

Those sort of warning usually don't contain any sensitive info and are
very valuable in figuring issues

The bug there to me is that gdm is logging standard "stdout/info" messages and those are ending up in the systemd journal being considered as warnings. Those logs shouldn't be there in the first place or should be in a lower level, that's either a bug in the way gdm/gtk are logging output or in journald.

Brian Murray (brian-murray) wrote :

I've gone ahead and modified the apport code so that JournalErrors includes warnings again but it also is only included for crash reports which are private by default. I believe this strikes a nice balance between privacy for users and functionality for developers. If its necessary for bug reports triagers can always ask for the equivalent of JournalErrors.

Changed in apport (Ubuntu):
status: Fix Released → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.9-0ubuntu2

---------------
apport (2.20.9-0ubuntu2) bionic; urgency=medium

  * data/general-hooks/generic.py: Have JournalErrors include warnings but
    only for apport-crash reports which are private by default. (LP: #1738581)
  * setup.py: update version with javac

 -- Brian Murray <email address hidden> Wed, 28 Mar 2018 11:45:29 -0700

Changed in apport (Ubuntu):
status: In Progress → Fix Released
Changed in apport (Ubuntu Xenial):
status: New → Triaged
Changed in apport (Ubuntu Artful):
status: New → Triaged
Changed in apport (Ubuntu Xenial):
importance: Undecided → High
Changed in apport (Ubuntu Artful):
importance: Undecided → High
summary: - apport is leaking environment variables (including passwords!) to
- public bug reports
+ apport attachment JounralErrors should only be included for crash
+ reports which are private
description: updated
Changed in apport (Ubuntu Artful):
assignee: nobody → Brian Murray (brian-murray)
Changed in apport (Ubuntu Xenial):
assignee: nobody → Brian Murray (brian-murray)

Hello H.-Dirk, or anyone else affected,

Accepted apport into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.7-0ubuntu3.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apport (Ubuntu Artful):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-artful
Changed in apport (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello H.-Dirk, or anyone else affected,

Accepted apport into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Brian Murray (brian-murray) wrote :

SRU verification for Artful - ubuntu-bug w/o no JournalErrors

== InstallationDate =================================
Installed on 2018-01-02 (96 days ago)

== InstallationMedia =================================
Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018)

== Package =================================
apport 2.20.7-0ubuntu3.8

bdmurray@clean-artful-amd64:~$ grep -A3 JournalErrors /var/crash/_usr_bin_nautilus.1000.crash
JournalErrors:
 -- Logs begin at Mon 2018-04-09 11:29:44 PDT, end at Mon 2018-04-09 11:37:19 PDT. --
 Apr 09 11:29:44 clean-artful-amd64 kernel: PCCT header not found.
 Apr 09 11:29:44 clean-artful-amd64 kernel: acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.

Setting to verification-done.

tags: added: verification-done-artful
removed: verification-needed-artful
Brian Murray (brian-murray) wrote :

SRU verification for 16.04 - ubuntu-bug without JournalErrors:

== InstallationDate =================================
Installed on 2016-10-06 (549 days ago)

== InstallationMedia =================================
Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)

== Package =================================
apport 2.20.1-0ubuntu2.16

== PackageArchitecture =================================
all

bdmurray@clean-xenial-amd64:~$ grep -A3 JournalErrors /var/crash/_usr_bin_nautilus.1000.crash
JournalErrors:
 -- Logs begin at Mon 2018-04-09 13:24:21 PDT, end at Mon 2018-04-09 13:36:50 PDT. --
 Apr 09 13:24:21 clean-xenial-amd64 kernel: ACPI: RSDP 0x00000000000F6850 000014 (v00 BOCHS )
 Apr 09 13:24:21 clean-xenial-amd64 kernel: ACPI: RSDT 0x00000000BFFE132A 00002C (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.7-0ubuntu3.8

---------------
apport (2.20.7-0ubuntu3.8) artful; urgency=medium

  * data/general-hooks/generic.py: Only include JournalErrors for apport-crash
    reports which are private by default. (LP: #1738581)

 -- Brian Murray <email address hidden> Fri, 30 Mar 2018 09:43:05 -0700

Changed in apport (Ubuntu Artful):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apport has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.1-0ubuntu2.16

---------------
apport (2.20.1-0ubuntu2.16) xenial; urgency=medium

  * data/general-hooks/generic.py: Only include JournalErrors for apport-crash
    reports which are private by default. (LP: #1738581)

 -- Brian Murray <email address hidden> Fri, 30 Mar 2018 09:53:05 -0700

Changed in apport (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers