Unrated severityNVD Advisory· Published Apr 17, 2020· Updated Sep 17, 2024

Byobu apport hook uploads user's ~/.screenrc

CVE-2019-7306

Description

Byobu Apport hook may disclose sensitive information since it automatically uploads the local user's .screenrc which may contain private hostnames, usernames and passwords. This issue affects: byobu

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Byobu's Apport hook automatically uploads the user's .screenrc file, potentially exposing private hostnames, usernames, and passwords.

Vulnerability

The Ubuntu byobu package includes an Apport hook (debian/source_byobu.py) that attaches the user's ~/.screenrc file to crash or bug reports. This file may contain sensitive information such as hostnames, usernames, and passwords. The vulnerability affects the Ubuntu and Debian packages of byobu (not the upstream application itself). [1]

Exploitation

An attacker does not need direct access; the exploitation occurs when a user triggers a crash or manually creates a bug report via Apport. The report, including the .screenrc file, is then automatically uploaded to an external database (e.g., Launchpad or Ubuntu Error Tracker). No authentication or user interaction beyond the crash/report creation is required. [1]

Impact

Successful exploitation leads to disclosure of sensitive information contained in the user's .screenrc file, potentially including private hostnames, usernames, and passwords. This is a confidentiality breach with no direct impact on integrity or availability. [1]

Mitigation

The fix was implemented in the byobu package by removing the inclusion of ~/.screenrc from the Apport hook. Users should update to the patched version. As of the reference date (2019-04-19), a fix was being prepared. Check the Ubuntu security repository for the latest package version. [1]

References

Bug #1827202 “Apport hook may expose sensitive information” : Bugs : byobu package : Ubuntu

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Byobu/Byobullm-create
osv-coords4 versions
pkg:apk/chainguard/byobu pkg:apk/chainguard/byobu-doc pkg:apk/wolfi/byobu pkg:apk/wolfi/byobu-doc
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Canonical/byobuv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The Apport hook unconditionally attaches the user's private ~/.screenrc file to crash/bug reports without filtering sensitive content or asking for consent."

Attack vector

An attacker can trigger this information disclosure when Byobu crashes (e.g., via `kill -11`) or when the user manually creates a bug report with `apport-cli`. The Apport hook automatically attaches the full contents of `~/.screenrc` to the report [ref_id=1]. If the system is configured to upload crash reports automatically (the default on Ubuntu), the file's contents—which may contain passwords, usernames, and hostnames—are sent to external bug databases like Launchpad or the Ubuntu Error Tracker without any user confirmation [ref_id=1].

Affected code

The vulnerable file is `debian/source_byobu.py` (installed as `/usr/share/apport/package-hooks/source_byobu.py`). The `add_info` function calls `attach_file_if_exists(report, path.expanduser('~/.screenrc'), 'ScreenRC')`, which unconditionally includes the user's private `~/.screenrc` dot file in any Apport crash or bug report [ref_id=1].

What the fix does

The advisory proposes removing the `~/.screenrc` attachment entirely, or at minimum filtering out sensitive lines (e.g., `password`, `su`, `screen` with TELNET arguments) and using Apport's `ui.yesno()` to ask the user for explicit consent before including the file [ref_id=1]. As an immediate workaround, users can delete `/usr/share/apport/package-hooks/source_byobu.py` [ref_id=1]. No patch is published in the bundle; the advisory itself serves as the remediation guidance.

Preconditions

configThe system must have the Apport crash-report framework installed and enabled (default on Ubuntu).
inputByobu must crash (or the user must manually run apport-cli on the byobu binary).
configThe crash report must be uploaded to an external bug database (either automatically or manually).

Reproduction

On a default Ubuntu installation: `echo "secret" > ~/.screenrc` then `apport-cli --save /tmp/reportfile /usr/bin/byobu`. The resulting report file will contain a line like `ScreenRC: secret`, demonstrating the disclosure [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugs.launchpad.net/ubuntu/+source/byobu/+bug/1827202mitrex_refsource_MISC
cve.mitre.org/cgi-bin/cvename.cgimitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000