[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
*** This bug is a duplicate of bug 129820 *** https://bugs.launchpad.net/bugs/129820 that's a duplicate of bug #129820 which has been fixed to gutsy ** This bug has been marked a duplicate of bug 129820 gnome-keyring-daemon crashed with SIGSEGV in strchr() -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Changed in: gnome-keyring (upstream) Status: New => Invalid -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Changed in: gnome-keyring (upstream) Status: Unknown => New -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Bug watch removed: GNOME Bug Tracker #464859 http://bugzilla.gnome.org/show_bug.cgi?id=464859 ** Bug watch added: GNOME Bug Tracker #467451 http://bugzilla.gnome.org/show_bug.cgi?id=467451 -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
it should not be possible to subscribe to a private bug if you don't have access to it, if you find a way that would be a launchpad bug -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Thu, 2007-08-09 at 14:37 +, Kees Cook wrote: > I apologize for the mistake -- I accidentally overlooked that portion of > the report; if it is any consolation, the contents of the stacktrace > were not sent out in email. Again, sorry for this disclosure. That's fair enough. Apology accepted. The silver lining in the black cloud of a mistake is that hopefully we learn from it. About "smalloc"... do you think the concept is "half-baked"? Cheers, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
I apologize for the mistake -- I accidentally overlooked that portion of the report; if it is any consolation, the contents of the stacktrace were not sent out in email. Again, sorry for this disclosure. -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Thu, 2007-08-09 at 07:51 +, Sebastien Bacher wrote: > The apport bugs are private by default in gutsy, that should address > your concern. Partly, yes. Sensitive data is still being exposed albeit to a smaller group of people. But it's also only be guarded by the security of Launchpad. Those are both enough to make me nervous. > Look like Kees did an error while cleaning the list of > bugs wrongly tagged a security issue, that can happen to everybody Perhaps. This was careless though. I would say anyone dealing with bugs tagged as a security issue has an extra level of responsibility and needs to be an order of magnitude more careful in their actions (measure twice, cut once). The very nature of a package that deals in secrets is that it is likely that at least one of them in is in the core file and/or stack trace. As I said previously though, the real answer is the automated scrubbing of data marked sensitive as it passes through the core-dumping-and-debugging process. And then of course, the world of FOSS has to be taught to use it. :-( This sounds like a wonderful project for a Canonical developer. :-) I'd say it belongs right in the heart of gcc/glibc/kernel so that it's ubiquitous and not just available to those by adding a library/build-time dependency. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Thu, 2007-08-09 at 07:52 +, Sebastien Bacher wrote: > Unchecking the security option again, that looks like a simple crash and > not a vulnerability that can be exploited I wasn't sure which flag was which and erred on the side of safety. When a bug is "private to subscribers only" does anything prevent "some Joe" from simply subscribing to see the contents? Can a private bug be a bug others are duplicated to, such that the subscriber of the duplicate bug automatically becomes a subscriber (by way of duplicate flagging) of the private bug? What is really needed here is something like: http://www.usenix.org/publications/library/proceedings/sec03/tech/full_papers/broadwell/broadwell_html/scrash.html I don't know of any real-world implementations of such a thing though. I don't know if any of the existing security frameworks will "contain" userspace data. I tend to think they don't/won't -- they typically only deal with kernel "object"s. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
The apport bugs are private by default in gutsy, that should address your concern. Look like Kees did an error while cleaning the list of bugs wrongly tagged a security issue, that can happen to everybody ** This bug is no longer flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
Unchecking the security option again, that looks like a simple crash and not a vulnerability that can be exploited -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Visibility changed to: Private ** This bug has been flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a direct subscriber. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Wed, 2007-08-08 at 22:55 +, Sebastien Bacher wrote: > The backtrace has 'secret = 0xb7efb038 "now is the time"', which > I didn't notice before sending the bug. Not sure if that's the keyring > key, the bug is marked private but you might want to change it if that's > a private information Apparently it's not private. Kees Cook changed the visibility to public. I have already made my position clear about that. Indeed, I am not at all happy about it. I'm really not sure how to balance the usefulness of my reporting bugs with apport and all of the data that it may contain with the possibility (and indeed, probability as we have now seen) that that data may be secret and shared with anyone who wishes to look. As I've said before, this needs to be addressed -- some how. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
On Wed, 2007-08-08 at 22:07 +, Kees Cook wrote: > ** Visibility changed to: Public Complete with my "secret" in it. Thanks very much. I really don't think it is your place to determine if a bug I marked private is indeed private or public. I marked it private for very good reason. I obviously had more instinct that there was probably private data in it than you did. I have warned about this exact problem time and time again within different bugs in Launchpad with this "automated" (apport) bug submission tool. It's obviously high time for official policy on dealing with bugs marked as private/security issue which may contain private data. I wonder how many users are compromising security of systems without even realizing it. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugzilla.gnome.org/show_bug.cgi?id=464859 ** Changed in: gnome-keyring (Ubuntu) Assignee: (unassigned) => Ubuntu Desktop Bugs Status: New => Triaged ** Also affects: gnome-keyring (upstream) via http://bugzilla.gnome.org/show_bug.cgi?id=464859 Importance: Unknown Status: Unknown -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
The backtrace has 'secret = 0xb7efb038 "now is the time"', which I didn't notice before sending the bug. Not sure if that's the keyring key, the bug is marked private but you might want to change it if that's a private information -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug assignee. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 130938] Re: gnome-keyring-daemon crashed with SIGSEGV in strchr()
** Visibility changed to: Public ** This bug is no longer flagged as a security issue -- gnome-keyring-daemon crashed with SIGSEGV in strchr() https://bugs.launchpad.net/bugs/130938 You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is a bug contact for gnome-keyring in ubuntu. -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs