touch-packages team mailing list archive

Thread
Date

[Bug 107103] Re: Allow user to suppress individual fields when sending a report

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Thu, 07 Jan 2016 00:35:21 -0000
Reply-to: Bug 107103 <107103@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: apport (Ubuntu)
   Importance: Medium => Wishlist

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/107103

Title:
  Allow user to suppress individual fields when sending a report

Status in apport package in Ubuntu:
  Triaged

Bug description:
  Binary package hint: apport

  When apport detects a crash in an application that handles passwords
  there is a huge opportunity for an unwitting user to upload an
  attachment (i.e. a core file) with their password in it!

  I'm not sure what the answer is to this problem.  Initially I thought
  that applications that even come remotely close to handling passwords
  should be flagged and their bug reports be marked private when
  uploaded.  That only limits possible password disclosure though.

  Probably what is needed is some kind of password scrubbing tool that
  iterates over all of the attachments looking for a list of strings
  (i.e. passwords) and replace them with something like "***" (enough to
  fill the string).  That would require that apport know a users
  password(s) in plain-text though.  As bad as that is, sending
  passwords to an open and public bug reporting system is even worse.

  Thots?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/107103/+subscriptions