[Bug 1738581] [NEW] apport is leaking environment variables (including passwords!) to public bug reports

H.-Dirk Schmitt dirk at computer42.org
Sat Dec 16 21:58:03 UTC 2017 

*** This bug is a security vulnerability ***

Public security bug reported:

See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
created with ubuntu-bug.

Apport includes the file JournalErrors.txt
This file includes e.g. the following line.
Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxxxxx at xxxx.xxxxxxxxxxx.org


Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. 

Setting confidential informations via environment is maybe not the best
idea, but a legal procedure and for `mpc` the only way to set this
information.

IMHO the apport utility is here the problem, because it includes the
file with risky information to a public visible bug report.


Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?

** Affects: apport (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: xenial

** Information type changed from Private Security to Public Security

** Package changed: evolution (Ubuntu) => apport (Ubuntu)

** Tags added: xenial

** Summary changed:

- apport leaks environment variables  (including passwords!) to bug reports
+ apport is leaking environment variables  (including passwords!) to puplic bug reports

** Summary changed:

- apport is leaking environment variables  (including passwords!) to puplic bug reports
+ apport is leaking environment variables  (including passwords!) to public bug reports

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1738581

Title:
  apport is leaking environment variables  (including passwords!) to
  public bug reports

Status in apport package in Ubuntu:
  New

Bug description:
  See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564
  created with ubuntu-bug.

  Apport includes the file JournalErrors.txt
  This file includes e.g. the following line.
  Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxxxxx at xxxx.xxxxxxxxxxx.org

  
  Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. 

  Setting confidential informations via environment is maybe not the
  best idea, but a legal procedure and for `mpc` the only way to set
  this information.

  IMHO the apport utility is here the problem, because it includes the
  file with risky information to a public visible bug report.

  
  Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1738581/+subscriptions

More information about the foundations-bugs mailing list