Activity log for bug #1738581

Date Who What changed Old value New value Message
2017-12-16 21:58:03 H.-Dirk Schmitt bug added bug
2017-12-16 21:58:37 H.-Dirk Schmitt information type Private Security Public Security
2017-12-16 21:59:27 H.-Dirk Schmitt affects evolution (Ubuntu) apport (Ubuntu)
2017-12-16 21:59:56 H.-Dirk Schmitt tags xenial
2017-12-16 22:03:04 H.-Dirk Schmitt summary apport leaks environment variables (including passwords!) to bug reports apport is leaking environment variables (including passwords!) to puplic bug reports
2017-12-16 22:03:17 H.-Dirk Schmitt summary apport is leaking environment variables (including passwords!) to puplic bug reports apport is leaking environment variables (including passwords!) to public bug reports
2018-02-13 00:48:05 Brian Murray apport (Ubuntu): status New In Progress
2018-02-13 00:48:09 Brian Murray apport (Ubuntu): assignee Brian Murray (brian-murray)
2018-02-13 00:48:13 Brian Murray apport (Ubuntu): importance Undecided High
2018-02-13 00:48:34 Launchpad Janitor branch linked lp:~ubuntu-core-dev/ubuntu/bionic/apport/ubuntu
2018-02-13 16:25:12 Launchpad Janitor apport (Ubuntu): status In Progress Fix Released
2018-02-15 19:51:46 Francis Ginther tags xenial id-5a5f96578e357fc4d5dba7cc xenial
2018-03-28 18:59:51 Brian Murray apport (Ubuntu): status Fix Released In Progress
2018-03-28 20:15:31 Launchpad Janitor apport (Ubuntu): status In Progress Fix Released
2018-03-28 21:04:28 Brian Murray nominated for series Ubuntu Artful
2018-03-28 21:04:28 Brian Murray bug task added apport (Ubuntu Artful)
2018-03-28 21:04:28 Brian Murray nominated for series Ubuntu Xenial
2018-03-28 21:04:28 Brian Murray bug task added apport (Ubuntu Xenial)
2018-03-28 21:04:36 Brian Murray apport (Ubuntu Xenial): status New Triaged
2018-03-28 21:04:39 Brian Murray apport (Ubuntu Artful): status New Triaged
2018-03-28 21:04:41 Brian Murray apport (Ubuntu Xenial): importance Undecided High
2018-03-28 21:04:43 Brian Murray apport (Ubuntu Artful): importance Undecided High
2018-03-30 16:35:12 Brian Murray summary apport is leaking environment variables (including passwords!) to public bug reports apport attachment JounralErrors should only be included for crash reports which are private
2018-03-30 16:39:25 Brian Murray description See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564 created with ubuntu-bug. Apport includes the file JournalErrors.txt This file includes e.g. the following line. Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxxxxx@xxxx.xxxxxxxxxxx.org Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information. IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report. Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment? [Impact] apport includes an attachment called JournalErrors which includes warnings and errors in journalctl output. This can in rare circumstances include private information. [Test Case] 1) Run ubuntu-bug apport 2) Observe JournalErrors attachment in the .crash file With the version of apport from -proposed JournalErrors will only be included in crash reports not regular bug reports. So follow the same test case and ensure JournalErrors is not included then run: 1) d-feet 2) pkill -11 d-feet 3) Observe JournalErrors in the d-feet .crash file [Regression Potential] Its possible my code is bad and then apport would crash when collecting journal errors. However, apport will just carry on and not include that attachment which would still be an improvement as there wouldn't be any private information included. See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564 created with ubuntu-bug. Original Description -------------------- Apport includes the file JournalErrors.txt This file includes e.g. the following line. Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxxxxx@xxxx.xxxxxxxxxxx.org Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information. IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report. Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?
2018-03-30 16:48:19 Brian Murray apport (Ubuntu Artful): assignee Brian Murray (brian-murray)
2018-03-30 16:48:22 Brian Murray apport (Ubuntu Xenial): assignee Brian Murray (brian-murray)
2018-04-05 09:11:34 Łukasz Zemczak apport (Ubuntu Artful): status Triaged Fix Committed
2018-04-05 09:11:36 Łukasz Zemczak bug added subscriber Ubuntu Stable Release Updates Team
2018-04-05 09:11:38 Łukasz Zemczak bug added subscriber SRU Verification
2018-04-05 09:11:40 Łukasz Zemczak tags id-5a5f96578e357fc4d5dba7cc xenial id-5a5f96578e357fc4d5dba7cc verification-needed verification-needed-artful xenial
2018-04-05 09:12:54 Łukasz Zemczak apport (Ubuntu Xenial): status Triaged Fix Committed
2018-04-05 09:12:57 Łukasz Zemczak tags id-5a5f96578e357fc4d5dba7cc verification-needed verification-needed-artful xenial id-5a5f96578e357fc4d5dba7cc verification-needed verification-needed-artful verification-needed-xenial xenial
2018-04-09 18:41:19 Brian Murray tags id-5a5f96578e357fc4d5dba7cc verification-needed verification-needed-artful verification-needed-xenial xenial id-5a5f96578e357fc4d5dba7cc verification-done-artful verification-needed verification-needed-xenial xenial
2018-04-09 20:38:38 Brian Murray tags id-5a5f96578e357fc4d5dba7cc verification-done-artful verification-needed verification-needed-xenial xenial id-5a5f96578e357fc4d5dba7cc verification-done-artful verification-done-xenial verification-needed xenial
2018-04-12 07:47:09 Launchpad Janitor apport (Ubuntu Artful): status Fix Committed Fix Released
2018-04-12 07:47:16 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2018-04-12 08:26:35 Launchpad Janitor apport (Ubuntu Xenial): status Fix Committed Fix Released