Apport hook may expose sensitive information

Bug #1827202 reported by Alex Murray
This bug affects 2 people
Affects Status Importance Assigned to Milestone
byobu (Ubuntu)
Fix Released
Fix Released
Won't Fix
Won't Fix

Bug Description


Author: Sander Bos
Author's e-mail address: sbos _at_ sbosnet _dot_ nl
Author's website: <>
CVE identifier: requested
Date: 2019-04-19
Report version: 2


The Ubuntu "byobu" package contains a security vulnerability which may
lead to disclosure of private as well as sensitive information in case
a bug or crash report file gets created by the user or in case the
application crashes, with this report file then being uploaded to an
external crash report database, all through the Ubuntu "Apport" crash
report framework.

The vulnerability is specific to the Ubuntu (and Debian) byobu package
(and potentially derivate OS packages, for example Linux Mint), and not
present in the upstream application itself (although it is in fact part
of the upstream source code repository).


"Byobu" [1, 2] is a text-based window manager, terminal multiplexer,
and integrated DevOps environment which can act as an enhancement to
the GNU Screen and tmux applications. It was initially developed for
Ubuntu, and is nowadays available in many GNU/Linux distributions as
well as macOS and some BSD operating systems.

The Ubuntu "byobu" package adds a file "debian/" [3] to
the program. This file acts as a so-called "package hook" for the Ubuntu
"Apport" crash report framework [4]. When a Byobu process crashes,
or when the user manually creates a bug report file for the program,
a local crash or bug report file gets created. This report file may be
amended with additional information, as defined by the package hook file.
The resulting report file may then be uploaded to an external bug report
database like Launchpad [5] or the Ubuntu Error Tracker [6].

The vulnerability lies in the fact that the debian/ package
hook file includes the user's ~/.screenrc file (line numbers prepended):

 10 def add_info(report):
 13 attach_file_if_exists(report, path.expanduser('~/.screenrc'), 'ScreenRC')

This file however is a user's private dot file, which should therefore
probably not be attached to the report at all to begin with. Specifically
though the file may contain actual sensitive information, including but
not limited to passwords, user names, and host names.

Thus, private and / or sensitive user information may end up in external
bug databases and (potentially public) bug reports. This applies
specifically in case the system on which the application crashed is
configured to automatically upload Apport crash reports without asking
the user's permission or requiring any user intervention at all.

The vulnerability is specific to the Ubuntu (and Debian) byobu package
(and potentially derivate OS packages, for example Linux Mint), and not
present in the upstream application itself.


The general vulnerability impact type of this vulnerability is disclosure
of sensitive information potentially including but not limited to
passwords, user names, and host names.

The leakage of such sensitive information from the ~/.screenrc file is
the core of this security vulnerability. However, even when the file
does not (or would never) include sensitive information like passwords,
sending out a user dot file like ~/.screenrc could still be considered
a privacy infringement on itself.

The following are examples of GNU Screen commands which may be included
in ~/.screenrc files [7] and contain sensitive (or at least private)
information (this list should not be considered exhaustive):

- "password" (may contain passwords);
- "su" (may include user names and passwords);
- all "*acl*" options and "umask" (involve ACLs, contain user names,
  and may contain passwords);
- "screen" (may contain host name and connection information regarding
  TELNET connections to, for example, (administrative interfaces of)
  internal-only hosts on an internal network);
- "at", "command", "eval", "exec", "shell", "source", and other commands
  concerned with to be executed (shell) commands.

Even though Byobu can be used on many different GNU/Linux distributions
and other operating systems, the vulnerability only applies to the Ubuntu
and Debian packages (and potentially derivative package versions, for
example Linux Mint). In addition, for the vulnerability to be exploitable
the system needs to have the Apport framework installed and enabled.
This is the case by default on Ubuntu, and may be the case on at least
SUSE based systems as well as the Debian "experimental" distribution.

As additional requirement factors Byobu needs to crash for the
vulnerability to occur (or the user needs to manually create a bug
report), and the crash report needs to be uploaded to an external bug
database, either manually by the user or automatically by the Apport
framework. A crash could happen as a result of regular application usage,
but it may also be maliciously caused by a (local or remote) attacker
by means of additional exploitative factors (e.g., Byobu application or
terminal related bugs). If the connection to the external bug databases
is unencrypted, the information may also leak by means of captured
network traffic.


The following example demonstrates the vulnerability on a default
installation of Ubuntu Server 16.04 LTS, showing the contents of the
user's ~/.screenrc file being included in the bug report file:

   $ echo "secret" > ~/.screenrc
   $ apport-cli --save /tmp/reportfile /usr/bin/byobu

   *** Collecting problem information

   The collected information can be sent to the developers to improve the
   application. This might take a few minutes.
   $ grep "ScreenRC" /tmp/reportfile
   ScreenRC: secret

The above example manually creates a bug report file by directly calling
apport-cli(1) [8] on the Byobu binary. The bug report file may then get
uploaded to a remote bug reporting database, making the contents of the
~/.screenrc file end up in a (potentially public) bug report.

As an alternative PoC example an actual crash report could be generated
by manually crashing a Byobu process (using for example "kill -11")
and then running apport-cli(1) on the, initially limited, crash report
file in /var/crash/. The end result would however be equal.


The vulnerability was introduced in the upstream Byobu source code
repository on 2009-07-09 as part of adding the Apport package hook file,
in Bazaar revision 648 [9].

The first Ubuntu package version containing the vulnerability was
2.20-0ubuntu1, released 2009-07-12 [10]. Assumably all Ubuntu and Debian
package versions from that version on have been vulnerable.

Currently, the following supported Ubuntu versions with their respective
byobu package versions are vulnerable [11]:

Ubuntu 19.04: 5.127-0ubuntu1
Ubuntu 18.10: 5.127-0ubuntu1
Ubuntu 18.04 LTS: 5.125-0ubuntu1
Ubuntu 16.04 LTS: 5.106-0ubuntu1
Ubuntu 14.04 LTS: 5.77-0ubuntu1.2
Ubuntu 12.04 ESM: 5.17-0ubuntu1

(Note: the package version listed for Ubuntu 12.04 ESM is actually the
version from Ubuntu 12.04 LTS; an unchecked assumption is made here that
the version in Ubuntu 12.04 ESM did not change after Ubuntu 12.04 LTS
transitioned to Ubuntu 12.04 ESM.)

It should be noted that the byobu package gets installed by default in
the Ubuntu Server editions of several Ubuntu releases.

Byobu is also available on many other GNU/Linux distributions as well as
macOS and some BSD systems, but the Apport hook will only get executed
on systems which have Apport installed and running. Aside from Ubuntu,
this might include SUSE based systems as well as the Debian "experimental"


An immediate workaround for Ubuntu users and administrators would be
to remove the byobu package Apport package hook file from the system,
being /usr/share/apport/package-hooks/

As a proposed source code / package fix, the byobu package Apport
hook should not include the complete user's ~/.screenrc file, but at
least filter out all sensitive information that the file may contain.
This includes for example the "password" option line and other commands
mentioned in the "VULNERABILITY IMPACT" section above.

As this may not be sufficient and still include information which should
not be sent out, a better approach might be to use a whitelist of lines
to include instead of a filter of lines to exclude.

Aside from actual sensitive information contained in the user's
~/.screenrc file however, which could be considered the core vulnerability
of this report, the file simply is a user's private dot file which
should probably not be uploaded to remote sites by Apport hooks at all.
This applies specifically since uploading of Apport reports could even
happen without the user's consent or even knowledge, for example when
automatic crash report uploads are configured on the system.

It should also be (re)considered whether or not any contents from a
~/.screenrc file could be responsible for a Byobu application crash to
begin with, or why this information would be helpful to developers in
resolving a crash (or allowed to be known by developers via this route
at all).

Thus, probably the safest and best solution would be to not include the
~/.screenrc file in crash reports at all.

If filtering out specific contents or using a while list approach while
still including the ~/.screenrc file on itself in reports is chosen as a
fix instead of not including the file at all, then an additional measure
of explicitly asking the user whether or not to include the file should
be implemented. This may be done by for example using the "ui.yesno()"
interactive user interface function from Apport [12] as also implemented
in Apport package hooks from several other packages, for example the
Apport package hook from the Ubuntu "openssh-client" package [13].

In addition, and generally speaking, Apport hooks from packages should
probably never attach private files from users (either dot files or
differently named files, either from user's home directories or other
private directories) since / in case this poses a (potential) privacy
infringement. At the least, such package hooks should always ask the
user's explicit permission. It should also always be investigated if
any potential security impact is involved, for example by potentially
including passwords or other sensitive information.


2019-04-10: Version 1: initial version sent to Ubuntu Security Team.
2019-04-19: Version 2: added Ubuntu 19.04 to vulnerable Ubuntu versions list,
                       added workaround information, added "ui.yesno()"
                       information to fix proposal, various minor improvements.


[1] <>
[2] <>
[3] <>
[4] <>
[5] <>
[6] <>
[7] <>
[8] <>
[9] <>
[10] <>
[11] <>
[12] <>
[13] <>


Sander Bos discovered, analysed, and reported the vulnerabilities
described in this report. Credits are welcomed in documentation
relating to these vulnerabilities including revision control system
commit messages, patches, release notes, and security advisories.

CVE References

Revision history for this message
Alex Murray (alexmurray) wrote :

This has been assigned CVE-2019-7306

Paride Legovini (paride)
tags: added: server-triage-discuss
Revision history for this message
Bryce Harrington (bryce) wrote :

The .screenrc file format description does indicate that a password can be set in it ( so it does appear that in theory this could be a privacy problem.

There are not many bugs filed against Ubuntu's byobu package (just 10 currently) and it doesn't look like any of them have the .screenrc anyway. Dropping the inclusion of .screenrc in the apport hook looks like it wouldn't adversely affect bug collection for this package; the rare cases where it might be needed could just be handled manually.

The apport hook also includes some general information about the installed screen binaries. It looks like there have been some situations in the past where extraneous screen bits could cause confusion (e.g. lp #390808 comments #6-9) that may be the reason for that. This may be of limited usefulness, but seems of minimal risk.

So, dropping the inclusion of the .screenrc seems like a sensible path for resolving this issue.

Changed in byobu (Ubuntu):
status: New → Confirmed
Revision history for this message
Bryce Harrington (bryce) wrote :

(Since the apport hook is part of the ubuntu packaging, there is not a need for an upstream task here.)

Changed in byobu:
status: New → Invalid
Paride Legovini (paride)
Changed in byobu (Ubuntu):
assignee: nobody → Paride Legovini (legovini)
tags: removed: server-triage-discuss
Revision history for this message
Robie Basak (racb) wrote :

Sander Bos, thank you for your research and report. I agree that this is a potential privacy leak and it should be fixed, and I appreciate the work you've done in identifying it. However, while your work does identify a worthwhile improvement, I think that calling this a security vulnerability is a stretch, given the following. Please do correct me if I'm factually wrong. The following points are believe objective and not a matter of opinion:

1. The PoC is incomplete since it misses an essential piece. An attacker cannot use it. It doesn't show how an attacker could make the apport hook fire, which is essential for the privacy leak to happen.

2. Apport and whoopsie were designed with privacy leak risks in mind, and always give the user the opportunity to view a report before sending it, in part to ensure that no sensitive information is present. The exception is if automatic crash reporting is enabled, but this is an explicit user opt-in.

3. The user must have had to have placed sensitive data in ~/.screenrc. I understand that users may do this, but it does have to be an explicit user action and is not the default case.

In my opinion, the above three factors make it questionable that this is a security vulnerability at all. If it is, it certainly has an exceeding low severity. We don't currently see any reports where these three things have come together.

Nevertheless, I agree that it makes sense to adjust the apport hook to avoid attaching ~/.screenrc. Certainly if one of the factors above turned out to be less of a barrier, making this change now would mitigate that future vulnerability. Thank you again for bringing this to our attention.

Revision history for this message
Paride Legovini (paride) wrote :

MP to skip the inclusion of the user's .screenrc from the apport crash report:

Paride Legovini (paride)
tags: added: server-next
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Fine. I'll merge this upstream.

Revision history for this message
Alex Murray (alexmurray) wrote :

Is there anything blocking this being merged upstream?

Revision history for this message
Paride Legovini (paride) wrote :

This has been merged already (rev2614), I updated the bug status.

Changed in byobu (Ubuntu):
status: Confirmed → Fix Committed
milestone: none → ubuntu-19.10
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This fix is in 5.128-0ubuntu1 in Eoan

Changed in byobu (Ubuntu):
status: Fix Committed → Fix Released
assignee: Paride Legovini (legovini) → nobody
tags: removed: server-next
Changed in byobu (Ubuntu Xenial):
status: New → Won't Fix
Changed in byobu (Ubuntu Bionic):
status: New → Won't Fix
Changed in byobu (Ubuntu Disco):
status: New → Won't Fix
Changed in byobu (Ubuntu Xenial):
importance: Undecided → Low
Changed in byobu (Ubuntu Bionic):
importance: Undecided → Low
Changed in byobu (Ubuntu Disco):
importance: Undecided → Low
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

CVE classified as low, and Paride talked with Amurray and SRUs are not needed on this.
If security wants to push it still the patch is in the repo of byobu.

Changed in byobu (Ubuntu Xenial):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.