[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Changed in: content-hub (Ubuntu) Status: New => Won't Fix ** Changed in: mir (Ubuntu) Status: New => Confirmed ** Changed in: canonical-devices-system-image Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to content-hub in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Canonical System Image: Invalid Status in Mir: New Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in content-hub package in Ubuntu: Won't Fix Status in mir package in Ubuntu: Confirmed Status in unity8 package in Ubuntu: Invalid Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says "Pasted from clipboard" and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Changed in: canonical-devices-system-image Status: New => Confirmed ** Changed in: canonical-devices-system-image Assignee: (unassigned) => Thomas Voß (thomas-voss) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to content-hub in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Canonical System Image: Confirmed Status in Mir: New Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in content-hub package in Ubuntu: New Status in mir package in Ubuntu: New Status in unity8 package in Ubuntu: Invalid Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says "Pasted from clipboard" and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
Setting to invalid in unity8 since i don't see the clipboard being handled in there at all ** Also affects: canonical-devices-system-image Importance: Undecided Status: New ** Changed in: unity8 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to content-hub in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Canonical System Image: New Status in Mir: New Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in content-hub package in Ubuntu: New Status in mir package in Ubuntu: New Status in unity8 package in Ubuntu: Invalid Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says "Pasted from clipboard" and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
This is for future support. tvoss asked us to file this bug so that it was not lost. ** Changed in: mir (Ubuntu) Status: Incomplete = New ** Changed in: mir Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in content-hub package in Ubuntu: New Status in mir package in Ubuntu: New Status in unity8 package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
I don't think Mir has any clipboard functionality yet, does it? Or is Mir providing some infrastructure for it indirectly? ** Changed in: mir Status: New = Incomplete ** Changed in: mir (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: Incomplete Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in content-hub package in Ubuntu: New Status in mir package in Ubuntu: Incomplete Status in unity8 package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Branch linked: lp:ubuntu/apparmor-easyprof-ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point, apparmor-easyprof- ubuntu can remove the (now unused) DBus clipboard access). To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Description changed: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. + + Another idea is to implement paste in the input method menu, and make + that the official way for users to paste inside applications, rather + than use menu items or toolbar buttons. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Description changed: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather - than use menu items or toolbar buttons. + than use menu items or toolbar buttons. (Ie, remove the DBus clipboard + support and implement this instead. At that point, apparmor-easyprof- + ubuntu can remove the (now unused) DBus clipboard access). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. Another idea is to implement paste in the input method menu, and make that the official way for users to paste inside applications, rather than use menu items or toolbar buttons. (Ie, remove the DBus clipboard support and implement this instead. At that point,
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.35
---
apparmor-easyprof-ubuntu (1.2.35) utopic; urgency=medium
* ubuntu/1.2/push-notification-client: don't deny access to the clipboard
since sdk apps are supposed to be able to specify this policy group
* ubuntu/1.2: add ubuntu-push-helper for push-helpers to use which (among
other things) explicitly disables access to the clipboard (LP: #1371170)
* adjust autopackagetest for ubuntu-push-helper
* ubuntu/accounts: allow all on org.freedesktop.DBus.Properties for
/com/google/code/AccountsSSO/SingleSignOn
* ubuntu/1.2/ubuntu-scope-network, pending/ubuntu-scope-local-content: also
add remaining libhybris paths (/{,var/}run/shm/hybris_shm_data and
/system/build.prop)
* ubuntu/ubuntu-sdk: explicitly disallow gsettings (dconf) access
(LP: #1378115)
-- Jamie Strandboge ja...@ubuntu.com Mon, 06 Oct 2014 10:41:18 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1371170
Title:
information disclosure: clipboard contents can be obtained without
user knowledge
Status in Mir:
New
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “content-hub” package in Ubuntu:
New
Status in “mir” package in Ubuntu:
New
Status in “unity8” package in Ubuntu:
New
Bug description:
Currently, the clipboard is implemented such that all apps can access
the contents at any time. The clipboard contents should only be given
to apps based on user driven input (eg, a paste operation).
Attack scenario:
1. user launches malicious app 'baz' that polls the clipboard for contents
2. user launches legitimate app 'foo', at which point 'baz' is backgrounded
3. user selects some text and puts it into the clipboard
4. user opens legitimate app 'bar' and pastes text
5. user foregrounds 'baz' which now has access to the clipboard contents
In the above, users can understand that 'foo' and 'bar' have access to
the text put in the clipboard. However, it is unexpected that 'baz'
also has access since the user didn't paste the text into it.
As it is currently implemented, there is no clipboard timeout, so the
contents will persist through the session (unless changed by another
copy operation). Application lifecycle will help a little, but not
fully since whenever an app is foregrounded, it can the contents of
the keyboard.
In the short term, we should require that only a foregrounded app
whould be able to get clipboard contents. Push helpers should have an
explicit deny to the (upcoming) DBus clipboard access. Background apps
should not be allowed to push content into the clipboard (application
lifecycle deals with this, but we need this for the future).
Ideally this would be handled via wholly user-driven interactions.
While this could be achieved via keyboard driven interactions, it is
difficult with toolkit driven interactions (ie, 'Paste' from a menu is
necessarily a pull operation). One idea is not to block access but
instead make users aware of the clipboard access (eg, an overlay that
says Pasted from clipboard and then fades out)-- this should be as
unobtrusive as possible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Also affects: mir Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to content-hub in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Triaged Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Status: Triaged = In Progress ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in Mir: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: In Progress Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/mir/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Description changed: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. + In the short term, we should require that only a foregrounded app whould + be able to get clipboard contents. Push helpers should have an explicit + deny to the (upcoming) DBus clipboard access. + Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. ** Also affects: apparmor-easyprof-ubuntu (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Importance: Undecided = High ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Status: New = Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to content-hub in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Triaged Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge
** Description changed: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit - deny to the (upcoming) DBus clipboard access. + deny to the (upcoming) DBus clipboard access. Background apps should not + be allowed to push content into the clipboard (application lifecycle + deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1371170 Title: information disclosure: clipboard contents can be obtained without user knowledge Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Triaged Status in “content-hub” package in Ubuntu: New Status in “mir” package in Ubuntu: New Status in “unity8” package in Ubuntu: New Bug description: Currently, the clipboard is implemented such that all apps can access the contents at any time. The clipboard contents should only be given to apps based on user driven input (eg, a paste operation). Attack scenario: 1. user launches malicious app 'baz' that polls the clipboard for contents 2. user launches legitimate app 'foo', at which point 'baz' is backgrounded 3. user selects some text and puts it into the clipboard 4. user opens legitimate app 'bar' and pastes text 5. user foregrounds 'baz' which now has access to the clipboard contents In the above, users can understand that 'foo' and 'bar' have access to the text put in the clipboard. However, it is unexpected that 'baz' also has access since the user didn't paste the text into it. As it is currently implemented, there is no clipboard timeout, so the contents will persist through the session (unless changed by another copy operation). Application lifecycle will help a little, but not fully since whenever an app is foregrounded, it can the contents of the keyboard. In the short term, we should require that only a foregrounded app whould be able to get clipboard contents. Push helpers should have an explicit deny to the (upcoming) DBus clipboard access. Background apps should not be allowed to push content into the clipboard (application lifecycle deals with this, but we need this for the future). Ideally this would be handled via wholly user-driven interactions. While this could be achieved via keyboard driven interactions, it is difficult with toolkit driven interactions (ie, 'Paste' from a menu is necessarily a pull operation). One idea is not to block access but instead make users aware of the clipboard access (eg, an overlay that says Pasted from clipboard and then fades out)-- this should be as unobtrusive as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1371170/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
