Somewhat urgent privacy concern
Jan Claeys
lists at janc.be
Mon Aug 31 02:59:08 BST 2009
Op zaterdag 29-08-2009 om 18:14 uur [tijdzone +0200], schreef Arand
Nash:
> This comes about since U1's crash reports contains a list of all the
> U1 files and folders of the reporting user (LP: 419895), AND that
> those attachements are not removed when the bug is marked as a
> duplicate and made public by the apport retracing service (LP:
> 419929).
IMO this behaviour is not only a privacy issue, but also a possible
security issue: https://bugs.launchpad.net/malone/+bug/354634
It means that the details of a known crasher bug (and thus a possibly
exploitable condition) are publicly available; wannabe attackers can
scan for recent LP bugs that are marked as duplicates after an apport
retrace.
Let's say that LP makes things a little bit easier for malicious people
this way...
--
Jan Claeys
More information about the ubuntu-devel
mailing list