[Bug 1077074] Re: /var/crash is unencrypted

Marcus Tomlinson marcus.tomlinson at canonical.com
Thu Mar 5 12:54:55 UTC 2020 

This release of Ubuntu is no longer receiving maintenance updates. If
this is still an issue on a maintained version of Ubuntu please let us
know.

** Changed in: apport (Ubuntu)
       Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1077074

Title:
  /var/crash is unencrypted

Status in apport package in Ubuntu:
  Incomplete

Bug description:
  When using encrypted (ecryptfs) home directories, although the swap
  device is encrypted there is a potential information leak via
  /var/crash. I was able to successfully recover plaintext content from
  a file being edited within the encrypted directory when the editor
  crashed (triggered by SIGILL for testing) simply by mounting the root
  device on another system and extracting the core dump from the .crash
  file. As these files remain on the filesystem until cleaned up by cron
  this represents a significant vulnerability, especially for laptop
  users.

  To reproduce:
  1) Open a sensitive file for editing (e.g. in vim)
  2) Trigger a core dump in the editor
  [Alternatively: 1&2) steal a laptop]
  3) Mount the device containing /var/crash on another system
  4) Extract core dumps from /var/crash/*.crash
  5) Search the dumps for sensitive plaintext

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: apport 2.6.1-0ubuntu6
  ProcVersionSignature: Ubuntu 3.5.0-18.18-lowlatency 3.5.7
  Uname: Linux 3.5.0-18-lowlatency x86_64
  ApportVersion: 2.6.1-0ubuntu6
  Architecture: amd64
  Date: Fri Nov  9 16:40:08 2012
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2012-10-11 (28 days ago)
  InstallationMedia: Ubuntu-Studio 12.04.1 "Precise Pangolin" - Release amd64 (20120818)
  MarkForUpload: True
  PackageArchitecture: all
  SourcePackage: apport
  UpgradeStatus: Upgraded to quantal on 2012-10-26 (14 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1077074/+subscriptions

More information about the foundations-bugs mailing list