*** This bug is a security vulnerability *** Public security bug reported:
See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564 created with ubuntu-bug. Apport includes the file JournalErrors.txt This file includes e.g. the following line. Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting [email protected] Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information. IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report. Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment? ** Affects: apport (Ubuntu) Importance: Undecided Status: New ** Tags: xenial ** Information type changed from Private Security to Public Security ** Package changed: evolution (Ubuntu) => apport (Ubuntu) ** Tags added: xenial ** Summary changed: - apport leaks environment variables (including passwords!) to bug reports + apport is leaking environment variables (including passwords!) to puplic bug reports ** Summary changed: - apport is leaking environment variables (including passwords!) to puplic bug reports + apport is leaking environment variables (including passwords!) to public bug reports -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evolution in Ubuntu. https://bugs.launchpad.net/bugs/1738581 Title: apport is leaking environment variables (including passwords!) to public bug reports Status in apport package in Ubuntu: New Bug description: See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564 created with ubuntu-bug. Apport includes the file JournalErrors.txt This file includes e.g. the following line. Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting [email protected] Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information. IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report. Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1738581/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
