*** This bug is a security vulnerability *** Public security bug reported:
See the bug report https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1738564 created with ubuntu-bug. Apport includes the file JournalErrors.txt This file includes e.g. the following line. Dez 16 19:11:31 hostname /usr/lib/gdm3/gdm-x-session[9679]: dbus-update-activation-environment: setting MPD_HOST=xxxx...@xxxx.xxxxxxxxxxx.org Normally it would be not problem that gdm-x-session write this to the journal, because the journal is not intended to be published on the internet. Setting confidential informations via environment is maybe not the best idea, but a legal procedure and for `mpc` the only way to set this information. IMHO the apport utility is here the problem, because it includes the file with risky information to a public visible bug report. Note: I manually delete the attachment in the mentioned bug report. But how can I sure that a web crawlser hasn't read/preserved that attachment? ** Affects: apport (Ubuntu) Importance: Undecided Status: New ** Tags: xenial ** Information type changed from Private Security to Public Security ** Package changed: evolution (Ubuntu) => apport (Ubuntu) ** Tags added: xenial ** Summary changed: - apport leaks environment variables (including passwords!) to bug reports + apport is leaking environment variables (including passwords!) to puplic bug reports ** Summary changed: - apport is leaking environment variables (including passwords!) to puplic bug reports + apport is leaking environment variables (including passwords!) to public bug reports -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1738581 Title: apport is leaking environment variables (including passwords!) to public bug reports To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1738581/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
