[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
The apport bugs are private by default in gutsy, that should address your concern. Look like Kees did an error while cleaning the list of bugs wrongly tagged a security issue, that can happen to everybody ** This bug is no longer flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
Unchecking the security option again, that looks like a simple crash and not a vulnerability that can be exploited -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Thu, 2007-08-09 at 07:52 +, Sebastien Bacher wrote: Unchecking the security option again, that looks like a simple crash and not a vulnerability that can be exploited I wasn't sure which flag was which and erred on the side of safety. When a bug is private to subscribers only does anything prevent some Joe from simply subscribing to see the contents? Can a private bug be a bug others are duplicated to, such that the subscriber of the duplicate bug automatically becomes a subscriber (by way of duplicate flagging) of the private bug? What is really needed here is something like: http://www.usenix.org/publications/library/proceedings/sec03/tech/full_papers/broadwell/broadwell_html/scrash.html I don't know of any real-world implementations of such a thing though. I don't know if any of the existing security frameworks will contain userspace data. I tend to think they don't/won't -- they typically only deal with kernel objects. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Thu, 2007-08-09 at 07:51 +, Sebastien Bacher wrote: The apport bugs are private by default in gutsy, that should address your concern. Partly, yes. Sensitive data is still being exposed albeit to a smaller group of people. But it's also only be guarded by the security of Launchpad. Those are both enough to make me nervous. Look like Kees did an error while cleaning the list of bugs wrongly tagged a security issue, that can happen to everybody Perhaps. This was careless though. I would say anyone dealing with bugs tagged as a security issue has an extra level of responsibility and needs to be an order of magnitude more careful in their actions (measure twice, cut once). The very nature of a package that deals in secrets is that it is likely that at least one of them in is in the core file and/or stack trace. As I said previously though, the real answer is the automated scrubbing of data marked sensitive as it passes through the core-dumping-and-debugging process. And then of course, the world of FOSS has to be taught to use it. :-( This sounds like a wonderful project for a Canonical developer. :-) I'd say it belongs right in the heart of gcc/glibc/kernel so that it's ubiquitous and not just available to those by adding a library/build-time dependency. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Visibility changed to: Public ** This bug is no longer flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=464859 ** Changed in: gnome-keyring (Ubuntu) Assignee: (unassigned) = Ubuntu Desktop Bugs Status: New = Triaged ** Also affects: gnome-keyring (upstream) via http://bugzilla.gnome.org/show_bug.cgi?id=464859 Importance: Unknown Status: Unknown -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
The backtrace has 'secret = 0xb7efb038 now is the time', which I didn't notice before sending the bug. Not sure if that's the keyring key, the bug is marked private but you might want to change it if that's a private information -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Wed, 2007-08-08 at 22:07 +, Kees Cook wrote: ** Visibility changed to: Public Complete with my secret in it. Thanks very much. I really don't think it is your place to determine if a bug I marked private is indeed private or public. I marked it private for very good reason. I obviously had more instinct that there was probably private data in it than you did. I have warned about this exact problem time and time again within different bugs in Launchpad with this automated (apport) bug submission tool. It's obviously high time for official policy on dealing with bugs marked as private/security issue which may contain private data. I wonder how many users are compromising security of systems without even realizing it. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Wed, 2007-08-08 at 22:55 +, Sebastien Bacher wrote: The backtrace has 'secret = 0xb7efb038 now is the time', which I didn't notice before sending the bug. Not sure if that's the keyring key, the bug is marked private but you might want to change it if that's a private information Apparently it's not private. Kees Cook changed the visibility to public. I have already made my position clear about that. Indeed, I am not at all happy about it. I'm really not sure how to balance the usefulness of my reporting bugs with apport and all of the data that it may contain with the possibility (and indeed, probability as we have now seen) that that data may be secret and shared with anyone who wishes to look. As I've said before, this needs to be addressed -- some how. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Visibility changed to: Private ** This bug has been flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs