Bug 1277872

Summary: Abrt leaks sensitive data when adding a comment to another bug report
Product: [Fedora] Fedora Reporter: Christian Stadelmann <fedora>
Component: abrtAssignee: abrt <abrt-devel-list>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 23CC: abrt-devel-list, dvlasenk, iprikryl, jfilak, mhabrnal, michal.toman, mmilata
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: abrt-2.8.0-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-04 23:22:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Stadelmann 2015-11-04 09:56:28 UTC 
Description of problem:
When reporting a bug you can see an option to limit access to your data to the fedora contrib group. This option is ignored if abrt doesn't open a new bug report but just adds a comment to an existing one.

Version-Release number of selected component (if applicable):
abrt-2.7.0-2.fc23.x86_64
gnome-abrt-1.2.0-5.fc23.x86_64

How reproducible:
I don't know yet.

Steps to Reproduce:
1. use gnome-abrt to report a bug
2. choose to limit access to bug report data
3. check bugzilla bug report

Actual results:
See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1264512#c15 : The comment is visible for anyone, although I chose to limit access.

Expected results:
The comment should not be publicly visible.
Comment 1 Jakub Filak 2015-11-04 10:26:41 UTC 
I am sorry, I have made your comment private.

I am not sure the Bugzilla comment access rights granularity allows us to choose certain groups. I am afraid we will have to force creation of a new bug in these cases.
Comment 2 Jakub Filak 2015-11-24 15:24:17 UTC 
Upstream pull request: https://github.com/abrt/libreport/pull/393
Comment 3 Fedora Update System 2016-02-02 16:12:29 UTC 
libreport-2.6.4-1.fc23 abrt-2.7.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-933459f83c
Comment 4 Fedora Update System 2016-02-03 23:02:00 UTC 
abrt-2.8.0-1.fc23, libreport-2.6.4-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-933459f83c
Comment 5 Fedora Update System 2016-02-04 23:22:33 UTC 
abrt-2.8.0-1.fc23, libreport-2.6.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.