Bug 748457

Summary: privacy violation (account name exposure) via abrt + telepathy + freedesktop
Product: [Fedora] Fedora Reporter: Jan Iven <jan.iven>
Component: abrtAssignee: Jiri Moskovcak <jmoskovc>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dfediuck, dvlasenk, iprikryl, jmoskovc, kklic, mmilata, mtoman, npajkovs, scorneli, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: abrt-2.0.7-2.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-16 19:54:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 749854    

Description Jan Iven 2011-10-24 14:06:52 UTC 
Description of problem:

telepathy apparently crashes as lot around "butterfly.connection.ButterflyConnection" (silly name, right?). And it uses the account name as key for a "freedesktop" connector, of the form 
/org/freedesktop/Telepathy/Connection/butterfly/msn/donkishoot_40wanadoo_2efr at 

Of course, the real culprit (both for crashing, and for the account names) is telepathy. However, it is "abrt" which is then publishing them on the web - and whereas the users are invited to edit the backtrace.

I am not quite sure how this could be addressed:
* perhaps show the full report (incl all fields) for editing?
* have a blacklist of personal information that would get auto-filtered (but "short" account names might create false positives, and anyway IM account have no relationship to local usernames) 
* have a blacklist of such misbehaving applications inside abrt?
Comment 1 Jiri Moskovcak 2011-10-24 14:18:52 UTC 
One of our items on TODO list is to make the search box search thru all the text fields in abrt, this should help a lot in these cases.
Comment 3 Jiri Moskovcak 2011-10-26 06:52:54 UTC 
I added a functionality which enables user to search for the sensitive data through all information gathered by ABRT in one step. As per c#1 we can also add some keywords to look for in the data by default and warn user there is probably something he'd rather not send to bugzilla (*pass*, username, *.avi, *.mpg, ..). We can also provide some machinery which would search the private data based on some regexps and those regexps would be provided by the package maintainers

e.g:

- just drop file to:

/etc/libreport/filters.d/telepathy.regex

- and libreport would use it to automatically search the data..
Comment 7 Jiri Moskovcak 2011-11-01 17:50:46 UTC 
Fixed in git (commit: 7cf4ecbaf2e9a25e874418f04295360c080b2b23 + 1bdf355d381f9fde76a3e905e8ef94c21cfefcd6)
Comment 9 Fedora Update System 2011-12-10 11:06:38 UTC 
abrt-2.0.7-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/abrt-2.0.7-2.fc16
Comment 10 Fedora Update System 2011-12-11 21:58:05 UTC 
Package abrt-2.0.7-2.fc16, libreport-2.0.8-3.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing abrt-2.0.7-2.fc16 libreport-2.0.8-3.fc16'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16990/libreport-2.0.8-3.fc16,abrt-2.0.7-2.fc16
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-12-16 19:54:15 UTC 
abrt-2.0.7-2.fc16, libreport-2.0.8-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.