Password security bugs in LUKS configuration during guided install

Done

Details

2 participants

Ludovic Courtès
sirmacik

Owner: unassigned

Submitted by: sirmacik

Severity: important

sirmacik wrote on 13 May 2019 17:09

Password security bugs in LUKS configuration during guided install

Recipients:(address . bug-guix@gnu.org)

Message-ID:20190513150922.GA30339@mail.freearts.agency

Hey Guix

I've asked on IRC if those bugs were known but apparently no, so here

they are:

- during guided installation with LUKS encryption one is not able to

enter password longer then length of field;

- in the same field password is shown during typing (lets one see bug

above, characters typed after reaching length of field are simply

not recorded);

Field with conformation hides typed letters. Due to bug #1 I wasn't

able to check if it works properly.

sirmacik

PGP: 0xE0DC81D523891771

Ludovic Courtès wrote on 14 May 2019 00:27

control message for bug #35716

Recipients:(address . control@debbugs.gnu.org)

Message-ID:874l5youqa.fsf@gnu.org

severity 35716 important

Ludovic Courtès wrote on 14 May 2019 11:50

Recipients:(address . control@debbugs.gnu.org)

Message-ID:875zqd2wli.fsf@gnu.org

tags 35716 security

Ludovic Courtès wrote on 14 May 2019 12:17

Re: bug#35716: Password security bugs in LUKS configuration during guided install

Recipients:(name . sirmacik)(address . sirmacik@wioo.waw.pl)(address . 35716-done@debbugs.gnu.org)

Message-ID:87v9yd1gsn.fsf@gnu.org

Hi sirmacik,

sirmacik <sirmacik@wioo.waw.pl> skribis:

Toggle quote (6 lines)

> I've asked on IRC if those bugs were known but apparently no, so here

> they are:

> - during guided installation with LUKS encryption one is not able to

> enter password longer then length of field;

Good catch!

Commit ef250707d3303d58ae00fe8f461701e7fa788d8a fixes it for the

passphrase, the root password, and user passwords.

Toggle quote (4 lines)

> - in the same field password is shown during typing (lets one see bug

> above, characters typed after reaching length of field are simply

> not recorded);

This has been addressed recently:

https://issues.guix.info/issue/35540.

Thanks for your report!

Ludo’.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 35716@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date