GNU bug report logs - #35716
Password security bugs in LUKS configuration during guided install

Previous Next

Package: guix;

Reported by: sirmacik <sirmacik <at> wioo.waw.pl>

Date: Mon, 13 May 2019 15:12:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 35716 in the body.
You can then email your comments to 35716 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#35716; Package guix. (Mon, 13 May 2019 15:12:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to sirmacik <sirmacik <at> wioo.waw.pl>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 13 May 2019 15:12:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: sirmacik <sirmacik <at> wioo.waw.pl>
To: bug-guix <at> gnu.org
Subject: Password security bugs in LUKS configuration during guided install 
Date: Mon, 13 May 2019 17:09:22 +0200

Hey Guix

I've asked on IRC if those bugs were known but apparently no, so here
they are:

- during guided installation with LUKS encryption one is not able to
  enter password longer then length of field;
- in the same field password is shown during typing (lets one see bug
  above, characters typed after reaching length of field are simply
  not recorded);

Field with conformation hides typed letters. Due to bug #1 I wasn't
able to check if it works properly.

--
sirmacik
PGP: 0xE0DC81D523891771
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 14 May 2019 04:11:02 GMT) Full text and rfc822 format available.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 14 May 2019 09:51:02 GMT) Full text and rfc822 format available.
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Tue, 14 May 2019 10:18:01 GMT) Full text and rfc822 format available.
Notification sent to sirmacik <sirmacik <at> wioo.waw.pl>:
bug acknowledged by developer. (Tue, 14 May 2019 10:18:02 GMT) Full text and rfc822 format available.

Message #14 received at 35716-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: sirmacik <sirmacik <at> wioo.waw.pl>
Cc: 35716-done <at> debbugs.gnu.org
Subject: Re: bug#35716: Password security bugs in LUKS configuration during
 guided install
Date: Tue, 14 May 2019 12:17:28 +0200

Hi sirmacik,

sirmacik <sirmacik <at> wioo.waw.pl> skribis:

> I've asked on IRC if those bugs were known but apparently no, so here
> they are:
>
> - during guided installation with LUKS encryption one is not able to
>   enter password longer then length of field;

Good catch!

Commit ef250707d3303d58ae00fe8f461701e7fa788d8a fixes it for the
passphrase, the root password, and user passwords.

> - in the same field password is shown during typing (lets one see bug
>   above, characters typed after reaching length of field are simply
>   not recorded);

This has been addressed recently:
<https://issues.guix.info/issue/35540>.

Thanks for your report!

Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 11 Jun 2019 11:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 310 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.