Sure, I just did it myself. ** Information type changed from Private Security to Public Security
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-desktop3 in Ubuntu. https://bugs.launchpad.net/bugs/1695112 Title: GNOME creates thumbnails that leak encrypted data under default Ubuntu configuration Status in gnome-desktop3 package in Ubuntu: New Bug description: Tested on Ubuntu 16.04.2 LTS. Bug appears to be in libgnome- desktop-3-12 (3.18.2-1ubuntu1). Nautilus (1:3.18.4.is.3.14.3-0ubuntu5) used to confirm. When a user does not have an encrypted home directory, the default Ubuntu installation offers an encrypted Private directory for each user using ecryptfs. The goal, I presume, is to give the user a place where they can protect data from being read directly off the disk. This entire purpose is defeated, though, because GNOME caches thumbnails of files in Private. These can be detailed enough to reveal contents of the encrypted storage. To reproduce: 1. Save an image or other thumbnail-able file directly to ~/Private. It could be porn, a naked selfie, ... I used the Ubuntu logo 64_logo.png from Launchpad. 2. Open Nautilus and browse to Private. Confirm that a thumbnail is shown for the image. 3. Find this file's checksum: echo -n 'file:///home/xxx/Private/64_logo.png' | md5sum 4. Confirm that ~/.caches/thumbnails/<size>/<checksum>.png exists and is a scaled-down image of the original file in Private, that has been written to disk outside of an encrypted location. If this is not a bug, I don't understand why Ubuntu would provide an encrypted Private directory in the first place. Ideally, this would be fixed by improving gnome_desktop_thumbnail_factory_can_thumbnail so it checks the GNOME Activity Journal configuration for excluded directories, and include ~/Private in that configuration by default. If eliminating thumbnails entirely impacts usability, it should be possible to make more extensive changes that either cache thumbnails in a location on the same filesystem (much like the hidden Trash directories and Windows' thumbnail handling) or create thumbnails without caching them to disk. I noticed another security problem while investigating this. libgnome- desktop may also be leaking thumbnail data even if a user's entire home folder is encrypted, through the use of a temporary file here: https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/gnome- desktop3/vivid/view/head:/libgnome-desktop/gnome-desktop- thumbnail.c#L1369 If /tmp is not encrypted or mounted as tmpfs, there is a risk of encrypted data being discovered through forensic investigative methods on the disk. This is probably not the only way encrypted home directory data can leak out to /tmp though. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-desktop3/+bug/1695112/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
