Should not include private PPA details in software-center.log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
software-center (Ubuntu) |
Fix Released
|
High
|
Gary Lasker | ||
Maverick |
Fix Released
|
High
|
Unassigned | ||
Natty |
Fix Released
|
High
|
Unassigned |
Bug Description
Currently, when a transaction failed error occurs, we log the error
message from aptdaemon in software-
failure was associated with a private PPA, the username and password
details will be included in the message from aptdaemon and so will be
included in the log. Since this log can potentially be exposed in a bug
report, we should obfuscate these details in both the log message and
also in the corresponding dialog that is displayed for the error (since
a screenshot of the dialog could potentially be attached to a bug as well).
TEST CASE for Maverick and Natty SRUs:
1. (For Maverick) Update to Software Center 3.0.10 in maverick-proposed.
-or-
1. (For Natty) Update to Software Center 4.0.5 in natty-proposed.
2. Open Software Center, navigate to the "For Purchase" section and purchase an item (or simply reinstall a previously purchased item if you have one). Note that a larger package download will make verification easier it provides more time to interrupt the download in progress to induce the failure mode. Note that Steel Storm: Burning Retribution is a ~690MB download and is priced at $4.99, making it a good candidate for this test (but any purchased package will do).
3. After the package download has begun and during the download itself, shut off your network connection.
4. Wait for the transaction to time out (this takes a couple of minutes). The failure is indicated when the "Failed to download package files" error dialog appears.
5. In the error dialog, expand the "Details" section and verify that the username and password portions of the given URL are rendered as "hidden:hidden" (e.g. "Failed to fetch https:/
6. View the file ~/.cache/
Changed in software-center (Ubuntu Maverick): | |
status: | New → In Progress |
Changed in software-center (Ubuntu Natty): | |
status: | New → In Progress |
Changed in software-center (Ubuntu Maverick): | |
importance: | Undecided → High |
Changed in software-center (Ubuntu Natty): | |
importance: | Undecided → High |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
visibility: | private → public |
I am unsubscribing the security team as this is not technically a security vulnerability. I just set the option in order to have the bug opened as private by default. Thanks and sorry for the inconvenience.