Ubuntu
aiccu package

apport doesn't deliver aiccu.log but sensitive information with bug reports

Bug #1001432 reported by Lars Düsing
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aiccu (Ubuntu)
Fix Released
Undecided
Lars Düsing
Precise
Fix Released
Undecided
Marc Deslauriers
Quantal
Fix Released
Undecided
Lars Düsing

Bug Description

There should be /var/log/aiccu.log in apport-bug-reports

Revision history for this message
Lars Düsing (lars.duesing) wrote :

I'm fixing it at the moment...

Changed in aiccu (Ubuntu):
assignee: nobody → Lars Düsing (lars.duesing)
Revision history for this message
Lars Düsing (lars.duesing) wrote :

bzr branch:
https://code.launchpad.net/~lars.duesing/ubuntu/precise/aiccu/aiccu-apport-fix

Changed in aiccu (Ubuntu):
status: New → Fix Committed
Revision history for this message
Lars Düsing (lars.duesing) wrote :

sorry... :-)
Wrong ubuntu-version, new branch:
https://code.launchpad.net/~lars.duesing/ubuntu/quantal/aiccu/aiccu-apport-fix/

Lars Düsing (lars.duesing)
summary: - apport doesn't deliver aiccu.log with bug reports
+ apport doesn't deliver aiccu.log but sensitive information with bug
+ reports
Revision history for this message
Lars Düsing (lars.duesing) wrote :

{preparation for SRU}
[Impact]
- High impact
 * Sensitive Information is transmitted to public launchpad (Username, PASSWORD!)
- Medium to Low impact
 * Finding configuration errors is harder without aiccu.log

[Test Case]
 apport-bug --save /tmp/apport-aiccu.report aiccu
  - verify that your information is in the report-> after patch there should be ##MASKED## instead of them.
  - verify the presence of "var.log.aiccu.log" -> after patch there should be this key with the relevant information

[Regression Potential]
 - relatively low
 * it could happen that there are no apport-reports at all. (If my apport-hook is such horrible failing...)
 * there should be no regression potential at all for the service aiccu at all - there is no change in any part called by this programme.

Revision history for this message
Lars Düsing (lars.duesing) wrote :

aiccu (20070115-14.1ubuntu3.1) precise; urgency=low

  * SECURITY UPDATE: Remove personal data (username, password, tunnel_id) in apport-reports (LP: #1001432)
    - added debian/aiccu.py: added a specialized apport-hook which masks the data befor it is sent to launchpad.
    - changed debian/aiccu.install: installs the apport-hook
  * Add apport hook for /var/log/aiccu.log

 -- Lars Duesing <email address hidden> Mon, 11 Jun 2012 15:31:22 +0200

Revision history for this message
Lars Düsing (lars.duesing) wrote :
Revision history for this message
Lars Düsing (lars.duesing) wrote :

There won't be any security-updates for versions before precise, because the problem cannot happen in pre-precise: apport is enabled only in precise and up.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the quantal branch, I've uploaded it.
ACK on the precise security update. I've uploaded it also, which a slight modification to the changelog to break the long lines.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aiccu - 20070115-15ubuntu2

---------------
aiccu (20070115-15ubuntu2) quantal; urgency=low

  * Add apport hook for /var/log/aiccu.log (LP: #1001432)
  * Remove personal data (username, password, tunnel_id) in apport-reports
 -- Lars Duesing <email address hidden> Sun, 10 Jun 2012 10:34:01 +0200

Changed in aiccu (Ubuntu):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in aiccu (Ubuntu Precise):
status: New → Fix Committed
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aiccu - 20070115-14.1ubuntu3.1

---------------
aiccu (20070115-14.1ubuntu3.1) precise-security; urgency=low

  * SECURITY UPDATE: Remove personal data (username, password, tunnel_id)
    in apport-reports (LP: #1001432)
    - added debian/aiccu.py: added a specialized apport-hook which masks
      the data before it is sent to launchpad.
    - changed debian/aiccu.install: installs the apport-hook
  * Add apport hook for /var/log/aiccu.log
 -- Lars Duesing <email address hidden> Mon, 11 Jun 2012 15:31:22 +0200

Changed in aiccu (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.