ProcMaps.txt may contain private information such as username

Thomas Ward trekcaptainusa.tw at gmail.com
Fri Jul 27 15:28:52 UTC 2012 

To quote Andrea Corbellini on the bug you linked us to:


> Bug reports created by Apport may containing a variety of sensible
> information -- from user names to credit card numbers. If you think that
> ProcMaps.txt is leaking private information, than don't look at the other
> files!



> Well, jokes apart, all potentially sensible information uploaded is always
> secured and reviewed by experienced and competent people. When real
> sensible information are found, they are removed before a bug report is
> made public. There are well-established procedures used to deal with such
> cases.


These competent people are a small subgroup of people who can see bugs.
These bugs are screened for private information such as user names or
credit card numbers.  Before those bugs get set as publicly visible,
members of the teams who can see those private bugs screen the information
for such private data, and either remove the file or handle it
accordingly.  Thus far, I've not witnessed any breaches in this.

There have been crash bugs on other applications and packages (of which I
have personally triaged or reviewed, as a member of that package's upstream
team or as a member of BugControl), and sometimes this "private
information" is included in crash stack traces for python programs.  Since
for the package I referred to only BugControl can see the private
information, what I did in that particular instance was obfuscate that
information by replacing the user name with 'IAmATeapot' or some other
random name that does not exist, thereby obfuscating the information (and
of course removing the original file uploaded by Apport), long before
setting the bug as a public security bug.


If I may ask, Fred, why, personally, would you want that information
purged, other than "Oh, my user name is in there"?  Generally speaking, if
your username is there, but you dont have, say, an SSH server running, or a
DMZ'd system with no firewall protection or other form of protection, or
are intentionally not hardening your system, disclosing your username is
not **too** much of a threat.


-------
Thomas Ward
LPID: trekcaptainusa-tw
Ubuntu BugSquad Member

On Thu, Jul 26, 2012 at 12:39 PM, Fred . <eldmannen at gmail.com> wrote:

> https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1029189
>
> The ProcMaps.txt file that gets uploaded to Launchpad may contain
> private information such as username that can be obtained from the
> path of the home directory.
>
> 7fbd44c33000-7fbd44c34000 r--s 00000000 08:01 1306557
> /home/alice/.local/share/mime/mime.cache
>
> I propose scrubbing/anonymizing the username.
>
> --
> Ubuntu-bugsquad mailing list
> Ubuntu-bugsquad at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugsquad
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-bugsquad/attachments/20120727/c9cf83db/attachment.html>

More information about the Ubuntu-bugsquad mailing list