Ubuntu
ubiquity package

RST/BitLocker - Do not make URLs translatable

Bug #1874229 reported by Jean-Baptiste Lallement
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
New
Medium
Unassigned

Bug Description

In the debconf template and and the UI file, URL for bitlocker and rst are translatable introducing a risk for a translator to break the URL or more importantly to inject a malicious URL in the translation.

$ grep -r -E 'ubuntu.com/(rst|bitlocker)'

debian/ubiquity.templates:_Description: This computer uses Intel RST (Rapid Storage Technology). You need to turn off RST before installing Ubuntu. For instructions, open this page on a phone or other device: <a href="https://help.ubuntu.com/rst">help.ubuntu.com/rst</a>
debian/ubiquity.templates:_Description: This computer uses Windows BitLocker encryption. You need to turn off BitLocker in Windows before installing Ubuntu. For instructions, open this page on a phone or other device: <a href="https://help.ubuntu.com/bitlocker">help.ubuntu.com/bitlocker</a>
gui/gtk/stepPrepare.ui: <property name="label" translatable="yes">This computer uses Intel RST (Rapid Storage Technology). You need to turn off RST before installing Ubuntu. For instructions, open this page on a phone or other device: &lt;a href="https://help.ubuntu.com/rst"&gt;help.ubuntu.com/rst&lt;/a&gt;</property>
gui/gtk/stepPartAsk.ui: <property name="label" translatable="yes">This computer uses Windows BitLocker encryption. You need to turn off BitLocker in Windows before installing Ubuntu. For instructions, open this page on a phone or other device: &lt;a href="https://help.ubuntu.com/bitlocker"&gt;help.ubuntu.com/bitlocker&lt;/a&gt;</property>

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: ubiquity (not installed)
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Wed Apr 22 12:28:09 2020
InstallCmdLine: file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd.lz quiet splash -- keyboard-configuration/layoutcode=fr keyboard-configuration/variantcode=oss
InstallationDate: Installed on 2014-07-15 (2108 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140520)
SourcePackage: ubiquity
UpgradeStatus: Upgraded to focal on 2018-03-24 (759 days ago)

See original description
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :
description: updated
Jean-Baptiste Lallement (jibel)
summary: - RST/BitLocket - Do not make URL translatable
+ RST/BitLocker - Do not make URL translatable
summary: - RST/BitLocker - Do not make URL translatable
+ RST/BitLocker - Do not make URLs translatable
Revision history for this message
Alex Murray (alexmurray) wrote :

Subscribing foundations bugs team for visibility.

Revision history for this message
Sebastien Bacher (seb128) wrote :

is that really a security issue?

the translations are done on launchpad by a restricted group

also the fact that the original string has an url included or not doesn't make a real difference, translators could translate 'That's a nice title' to 'click my money making http://www.ubuntu.com/moneymaking' the same way...

Revision history for this message
Alex Murray (alexmurray) wrote :

Marking as public and not security.

information type: Private Security → Public
Brian Murray (brian-murray)
Changed in ubiquity (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.