touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #126950
[Bug 107103] Re: Allow user to suppress individual fields when sending a report
** Changed in: apport (Ubuntu)
Importance: Medium => Wishlist
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/107103
Title:
Allow user to suppress individual fields when sending a report
Status in apport package in Ubuntu:
Triaged
Bug description:
Binary package hint: apport
When apport detects a crash in an application that handles passwords
there is a huge opportunity for an unwitting user to upload an
attachment (i.e. a core file) with their password in it!
I'm not sure what the answer is to this problem. Initially I thought
that applications that even come remotely close to handling passwords
should be flagged and their bug reports be marked private when
uploaded. That only limits possible password disclosure though.
Probably what is needed is some kind of password scrubbing tool that
iterates over all of the attachments looking for a list of strings
(i.e. passwords) and replace them with something like "***" (enough to
fill the string). That would require that apport know a users
password(s) in plain-text though. As bad as that is, sending
passwords to an open and public bug reporting system is even worse.
Thots?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/107103/+subscriptions