Password security bugs in LUKS configuration during guided install

Done

Details

2 participants

Ludovic Courtès
sirmacik

Owner: unassigned

Submitted by: sirmacik

Severity: important

sirmacik wrote on 13 May 2019 17:09

Password security bugs in LUKS configuration during guided install

Recipients:(address . bug-guix@gnu.org)

Message-ID:20190513150922.GA30339@mail.freearts.agency

Hey Guix

I've asked on IRC if those bugs were known but apparently no, so here

they are:

- during guided installation with LUKS encryption one is not able to

enter password longer then length of field;

- in the same field password is shown during typing (lets one see bug

above, characters typed after reaching length of field are simply

not recorded);

Field with conformation hides typed letters. Due to bug #1 I wasn't

able to check if it works properly.

sirmacik

PGP: 0xE0DC81D523891771

Ludovic Courtès wrote on 14 May 2019 00:27

control message for bug #35716

Recipients:(address . control@debbugs.gnu.org)

Message-ID:874l5youqa.fsf@gnu.org

severity 35716 important

Ludovic Courtès wrote on 14 May 2019 11:50

Recipients:(address . control@debbugs.gnu.org)

Message-ID:875zqd2wli.fsf@gnu.org

tags 35716 security

Ludovic Courtès wrote on 14 May 2019 12:17

Re: bug#35716: Password security bugs in LUKS configuration during guided install

Recipients:(name . sirmacik)(address . sirmacik@wioo.waw.pl)(address . 35716-done@debbugs.gnu.org)

Message-ID:87v9yd1gsn.fsf@gnu.org

Hi sirmacik,

sirmacik <sirmacik@wioo.waw.pl> skribis:

Toggle quote (6 lines)

> I've asked on IRC if those bugs were known but apparently no, so here

> they are:

> - during guided installation with LUKS encryption one is not able to

> enter password longer then length of field;

Good catch!

Commit ef250707d3303d58ae00fe8f461701e7fa788d8a fixes it for the

passphrase, the root password, and user passwords.

Toggle quote (4 lines)

> - in the same field password is shown during typing (lets one see bug

> above, characters typed after reaching length of field are simply

> not recorded);

This has been addressed recently:

https://issues.guix.info/issue/35540.

Thanks for your report!

Ludo’.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 35716@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 35716

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date