Bug 748457 - privacy violation (account name exposure) via abrt + telepathy + freedesktop
Summary: privacy violation (account name exposure) via abrt + telepathy + freedesktop
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jiri Moskovcak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2011-4088
TreeView+ depends on / blocked
 
Reported: 2011-10-24 14:06 UTC by Jan Iven
Modified: 2015-02-01 22:55 UTC (History)
11 users (show)

Fixed In Version: abrt-2.0.7-2.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-16 19:54:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jan Iven 2011-10-24 14:06:52 UTC 
Description of problem:

telepathy apparently crashes as lot around "butterfly.connection.ButterflyConnection" (silly name, right?). And it uses the account name as key for a "freedesktop" connector, of the form 
/org/freedesktop/Telepathy/Connection/butterfly/msn/donkishoot_40wanadoo_2efr at 

Of course, the real culprit (both for crashing, and for the account names) is telepathy. However, it is "abrt" which is then publishing them on the web - and whereas the users are invited to edit the backtrace.

I am not quite sure how this could be addressed:
* perhaps show the full report (incl all fields) for editing?
* have a blacklist of personal information that would get auto-filtered (but "short" account names might create false positives, and anyway IM account have no relationship to local usernames) 
* have a blacklist of such misbehaving applications inside abrt?
Comment 1 Jiri Moskovcak 2011-10-24 14:18:52 UTC 
One of our items on TODO list is to make the search box search thru all the text fields in abrt, this should help a lot in these cases.
Comment 3 Jiri Moskovcak 2011-10-26 06:52:54 UTC 
I added a functionality which enables user to search for the sensitive data through all information gathered by ABRT in one step. As per c#1 we can also add some keywords to look for in the data by default and warn user there is probably something he'd rather not send to bugzilla (*pass*, username, *.avi, *.mpg, ..). We can also provide some machinery which would search the private data based on some regexps and those regexps would be provided by the package maintainers

e.g:

- just drop file to:

/etc/libreport/filters.d/telepathy.regex

- and libreport would use it to automatically search the data..
Comment 7 Jiri Moskovcak 2011-11-01 17:50:46 UTC 
Fixed in git (commit: 7cf4ecbaf2e9a25e874418f04295360c080b2b23 + 1bdf355d381f9fde76a3e905e8ef94c21cfefcd6)
Comment 9 Fedora Update System 2011-12-10 11:06:38 UTC 
abrt-2.0.7-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/abrt-2.0.7-2.fc16
Comment 10 Fedora Update System 2011-12-11 21:58:05 UTC 
Package abrt-2.0.7-2.fc16, libreport-2.0.8-3.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing abrt-2.0.7-2.fc16 libreport-2.0.8-3.fc16'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16990/libreport-2.0.8-3.fc16,abrt-2.0.7-2.fc16
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-12-16 19:54:15 UTC 
abrt-2.0.7-2.fc16, libreport-2.0.8-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.