Launchpad itself

Leaks summary of private bug when another bug marked as a duplicate

Bug #373683 reported by William Grant on 2009-05-08

264

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	High	Graham Binns	Launchpad itself 10.07

Bug Description

When bug #372597 (which is public) was marked as a duplicate of bug #185388 (which was private when change was made, and also when the notification was sent, but isn't any more) by somebody with access to the private bug, the notification email for the dupe marking contained the summary of the private bug. That's really not good.

Tags:

Related branches

lp:~gmb/launchpad/dont-leak-privacy-in-notifications-bug-373683

Merged into lp:launchpad/db-devel at revision 9442

Leonard Richardson (community): Approve (code) on 2010-06-08

Revision history for this message

Eleanor Berger (intellectronica) wrote on 2009-06-03:

This happens quite rarely, but can potentially be a serious security leak.

The fix I propose is to check, when the bug notification is being created, whether the bug is private, and hiding its title if it is.

Changed in malone:
assignee:	nobody → Tom Berger (intellectronica)
importance:	Undecided → Medium
milestone:	none → 2.2.6
status:	New → Triaged

Eleanor Berger (intellectronica) on 2009-07-01

Changed in malone:
assignee:	Tom Berger (intellectronica) → nobody
milestone:	2.2.6 → 2.2.7

Björn Tillenius (bjornt) on 2009-07-31

Changed in malone:
milestone:	2.2.7 → 2.2.8

Deryck Hodge (deryck) on 2009-08-28

Changed in malone:
milestone:	2.2.8 → 3.0

Deryck Hodge (deryck) on 2009-09-17

Changed in malone:
milestone:	3.0 → 3.1.10

Revision history for this message

Karl Fogel (kfogel) wrote on 2009-09-22:

See also bug #354634 ("bug marked as a duplicate of a private bug is marked as public itself"), which is related though not exactly the same.

Deryck Hodge (deryck) on 2009-10-03

Changed in malone:
milestone:	3.1.10 → none

Deryck Hodge (deryck) on 2010-06-01

tags:

added: dhrb

Graham Binns (gmb) on 2010-06-04

tags:

added: story-better-bug-notification

Graham Binns (gmb) on 2010-06-04

Changed in malone:
importance:	Medium → High

Revision history for this message

Graham Binns (gmb) wrote on 2010-06-04:

It may make sense to fix bug 111147, bug 31586 and bug 138592 at the same time as this.

Graham Binns (gmb) on 2010-06-07

Changed in malone:
status:	Triaged → In Progress
assignee:	nobody → Graham Binns (gmb)
milestone:	none → 10.06

Revision history for this message

Ursula Junque (ursinha) wrote on 2010-06-11: Bug fixed by a commit

Fixed in stable r10977 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10977>

Changed in malone:
status:	In Progress → Fix Committed
tags:	added: qa-needstesting

Graham Binns (gmb) on 2010-06-21

tags:

added: qa-ok
removed: qa-needstesting

Curtis Hovey (sinzui) on 2010-07-07

Changed in malone:
status:	Fix Committed → Fix Released

William Grant (wgrant) on 2012-08-10

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.