security/privacy hole in zeitgeist
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zeitgeist Framework |
Fix Released
|
Low
|
Siegfried Gevatter | ||
zeitgeist (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
zeitgeist data files don't seem to use the write permissions by default:
user@machine:
total 7244
-rw-r--r-- 1 user user 3776512 2012-02-03 23:47 activity.sqlite
-rw-rw-r-- 1 user user 1996800 2011-10-17 03:09 activity.sqlite.bck
-rw-r--r-- 1 user user 1623848 2012-02-03 23:47 activity.
so that any user on the same machine (or with network access to the home drive), including the guest user, will be able to read the highly sensitive private information of everybody else and use it to blackmail the users, or whatever nasty things one could do with private information.
this could be fixed by having the right permissions or even better by making all the privacy-killing features of ubuntu opt in...
Related branches
visibility: | private → public |
affects: | ubuntu → zeitgeist (Ubuntu) |
Changed in zeitgeist: | |
assignee: | nobody → Siegfried Gevatter (rainct) |
Changed in zeitgeist: | |
importance: | Undecided → Low |
status: | New → Fix Committed |
milestone: | none → 0.9.0 |
Changed in zeitgeist: | |
status: | Fix Committed → Fix Released |
Changed in zeitgeist (Ubuntu): | |
status: | Confirmed → Fix Released |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/926652/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]