[Bug 1077074] Re: /var/crash is unencrypted
Marcus Tomlinson
marcus.tomlinson at canonical.com
Thu Mar 5 12:54:55 UTC 2020
This release of Ubuntu is no longer receiving maintenance updates. If
this is still an issue on a maintained version of Ubuntu please let us
know.
** Changed in: apport (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1077074
Title:
/var/crash is unencrypted
Status in apport package in Ubuntu:
Incomplete
Bug description:
When using encrypted (ecryptfs) home directories, although the swap
device is encrypted there is a potential information leak via
/var/crash. I was able to successfully recover plaintext content from
a file being edited within the encrypted directory when the editor
crashed (triggered by SIGILL for testing) simply by mounting the root
device on another system and extracting the core dump from the .crash
file. As these files remain on the filesystem until cleaned up by cron
this represents a significant vulnerability, especially for laptop
users.
To reproduce:
1) Open a sensitive file for editing (e.g. in vim)
2) Trigger a core dump in the editor
[Alternatively: 1&2) steal a laptop]
3) Mount the device containing /var/crash on another system
4) Extract core dumps from /var/crash/*.crash
5) Search the dumps for sensitive plaintext
ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: apport 2.6.1-0ubuntu6
ProcVersionSignature: Ubuntu 3.5.0-18.18-lowlatency 3.5.7
Uname: Linux 3.5.0-18-lowlatency x86_64
ApportVersion: 2.6.1-0ubuntu6
Architecture: amd64
Date: Fri Nov 9 16:40:08 2012
EcryptfsInUse: Yes
InstallationDate: Installed on 2012-10-11 (28 days ago)
InstallationMedia: Ubuntu-Studio 12.04.1 "Precise Pangolin" - Release amd64 (20120818)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: apport
UpgradeStatus: Upgraded to quantal on 2012-10-26 (14 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1077074/+subscriptions
More information about the foundations-bugs
mailing list