Link to CoreDump.gz is sent by e-mail when Apport bug is marked as duplicate
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
High
|
Unassigned | ||
Bug Description
When an apport bug containing a coredump is filed, the bug is marked as private. When this bug gets retraced by the Apport retracing service, the coredump is removed and the bug is marked as public. However, when the Apport retracing service marks this bug as duplicate of another (master) bug, an e-mail containing a link to the coredump.gz is sent to subscribers of the master bug.
As the coredump may contain sensitive information, this is a security issue.
For example, those lines are in the e-mail I received (link censored):
** Tags removed: need-amd64-retrace
** Attachment removed: "CoreDump.gz"
http://
That link actually opens the coredump.
Expected behavior: e-mail sent to subscribers of the master bug should not contain the link to the CoreDump.gz.
The librarian URL is also visible in the bug's activity log.
| William Grant (wgrant) wrote | #1 |
| Changed in malone: | |
| status: | New → Confirmed |
| Matthew Paul Thomas (mpt) wrote | #2 |
| Changed in malone: | |
| importance: | Undecided → High |
| description: | updated |
| Robert Collins (lifeless) wrote | #3 |
Erk, that is bad. Actions performed when the bug was private probably shouldn't be batched in with public notifications.