Sure, I just did it myself.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-desktop3 in Ubuntu.
https://bugs.launchpad.net/bugs/1695112

Title:
  GNOME creates thumbnails that leak encrypted data under default Ubuntu
  configuration

Status in gnome-desktop3 package in Ubuntu:
  New

Bug description:
  Tested on Ubuntu 16.04.2 LTS. Bug appears to be in libgnome-
  desktop-3-12 (3.18.2-1ubuntu1). Nautilus (1:3.18.4.is.3.14.3-0ubuntu5)
  used to confirm.

  When a user does not have an encrypted home directory, the default
  Ubuntu installation offers an encrypted Private directory for each
  user using ecryptfs. The goal, I presume, is to give the user a place
  where they can protect data from being read directly off the disk.

  This entire purpose is defeated, though, because GNOME caches
  thumbnails of files in Private. These can be detailed enough to reveal
  contents of the encrypted storage.

  To reproduce:
  1. Save an image or other thumbnail-able file directly to ~/Private. It could 
be porn, a naked selfie, ... I used the Ubuntu logo 64_logo.png from Launchpad.
  2. Open Nautilus and browse to Private. Confirm that a thumbnail is shown for 
the image.
  3. Find this file's checksum: echo -n 'file:///home/xxx/Private/64_logo.png' 
| md5sum
  4. Confirm that ~/.caches/thumbnails/<size>/<checksum>.png exists and is a 
scaled-down image of the original file in Private, that has been written to 
disk outside of an encrypted location.

  If this is not a bug, I don't understand why Ubuntu would provide an
  encrypted Private directory in the first place.

  Ideally, this would be fixed by improving
  gnome_desktop_thumbnail_factory_can_thumbnail so it checks the GNOME
  Activity Journal configuration for excluded directories, and include
  ~/Private in that configuration by default. If eliminating thumbnails
  entirely impacts usability, it should be possible to make more
  extensive changes that either cache thumbnails in a location on the
  same filesystem (much like the hidden Trash directories and Windows'
  thumbnail handling) or create thumbnails without caching them to disk.

  I noticed another security problem while investigating this. libgnome-
  desktop may also be leaking thumbnail data even if a user's entire
  home folder is encrypted, through the use of a temporary file here:
  https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/gnome-
  desktop3/vivid/view/head:/libgnome-desktop/gnome-desktop-
  thumbnail.c#L1369 If /tmp is not encrypted or mounted as tmpfs, there
  is a risk of encrypted data being discovered through forensic
  investigative methods on the disk. This is probably not the only way
  encrypted home directory data can leak out to /tmp though.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-desktop3/+bug/1695112/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to