** Changed in: gnome-desktop3 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-desktop3 in Ubuntu.
https://bugs.launchpad.net/bugs/1695112
Title:
GNOME creates thumbnails that leak encrypted data under default Ubuntu
configuration
Status in gnome-desktop3 package in Ubuntu:
Confirmed
Bug description:
Tested on Ubuntu 16.04.2 LTS. Bug appears to be in libgnome-
desktop-3-12 (3.18.2-1ubuntu1). Nautilus (1:3.18.4.is.3.14.3-0ubuntu5)
used to confirm.
When a user does not have an encrypted home directory, the default
Ubuntu installation offers an encrypted Private directory for each
user using ecryptfs. The goal, I presume, is to give the user a place
where they can protect data from being read directly off the disk.
This entire purpose is defeated, though, because GNOME caches
thumbnails of files in Private. These can be detailed enough to reveal
contents of the encrypted storage.
To reproduce:
1. Save an image or other thumbnail-able file directly to ~/Private. It could
be porn, a naked selfie, ... I used the Ubuntu logo 64_logo.png from Launchpad.
2. Open Nautilus and browse to Private. Confirm that a thumbnail is shown for
the image.
3. Find this file's checksum: echo -n 'file:///home/xxx/Private/64_logo.png'
| md5sum
4. Confirm that ~/.caches/thumbnails/<size>/<checksum>.png exists and is a
scaled-down image of the original file in Private, that has been written to
disk outside of an encrypted location.
If this is not a bug, I don't understand why Ubuntu would provide an
encrypted Private directory in the first place.
Ideally, this would be fixed by improving
gnome_desktop_thumbnail_factory_can_thumbnail so it checks the GNOME
Activity Journal configuration for excluded directories, and include
~/Private in that configuration by default. If eliminating thumbnails
entirely impacts usability, it should be possible to make more
extensive changes that either cache thumbnails in a location on the
same filesystem (much like the hidden Trash directories and Windows'
thumbnail handling) or create thumbnails without caching them to disk.
I noticed another security problem while investigating this. libgnome-
desktop may also be leaking thumbnail data even if a user's entire
home folder is encrypted, through the use of a temporary file here:
https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/gnome-
desktop3/vivid/view/head:/libgnome-desktop/gnome-desktop-
thumbnail.c#L1369 If /tmp is not encrypted or mounted as tmpfs, there
is a risk of encrypted data being discovered through forensic
investigative methods on the disk. This is probably not the only way
encrypted home directory data can leak out to /tmp though.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-desktop3/+bug/1695112/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
