[Bug 1738581] [NEW] apport leaks environment variables (including passwords!) to bug reports
Launchpad Bug Tracker
1738581 at bugs.launchpad.net
Sat Dec 16 21:59:28 UTC 2017
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug:
See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
created with ubuntu-bug.
Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxxxxx at xxxx.xxxxxxxxxxx.org
Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet.
Setting confidential informations via environment is maybe not the best
idea, but a legal procedure and for `mpc` the only way to set this
information.
IMHO the apport utility is here the problem, because it includes the
file with risky information to a public visible bug report.
Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?
** Affects: apport (Ubuntu)
Importance: Undecided
Status: New
--
apport leaks environment variables (including passwords!) to bug reports
https://bugs.launchpad.net/bugs/1738581
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to apport in Ubuntu.
More information about the foundations-bugs
mailing list