Password security bugs in LUKS configuration during guided install

DoneSubmitted by sirmacik.
S
sirmacik wrote on Mon May 13 17:09:22+0200 2019
Password security bugs in LUKS configuration during guided install
(address . bug-guix@gnu.org)
20190513150922.GA30339@mail.freearts.agency
Download
Hey Guix

I've asked on IRC if those bugs were known but apparently no, so here
they are:

- during guided installation with LUKS encryption one is not able to
enter password longer then length of field;
- in the same field password is shown during typing (lets one see bug
above, characters typed after reaching length of field are simply
not recorded);

Field with conformation hides typed letters. Due to bug #1 I wasn't
able to check if it works properly.

--
sirmacik
PGP: 0xE0DC81D523891771


L
Ludovic Courtès wrote on Tue May 14 00:27:57+0200 2019
control message for bug #35716
(address . control@debbugs.gnu.org)
874l5youqa.fsf@gnu.org
Download
severity 35716 important


L
Ludovic Courtès wrote on Tue May 14 11:50:49+0200 2019
(address . control@debbugs.gnu.org)
875zqd2wli.fsf@gnu.org
Download
tags 35716 security


L
Ludovic Courtès wrote on Tue May 14 12:17:28+0200 2019
Re: bug#35716: Password security bugs in LUKS configuration during guided install
(name . sirmacik)(address . sirmacik@wioo.waw.pl)(address . 35716-done@debbugs.gnu.org)
87v9yd1gsn.fsf@gnu.org
Download
Hi sirmacik,

sirmacik <sirmacik@wioo.waw.pl> skribis:

> I've asked on IRC if those bugs were known but apparently no, so here
> they are:
>
> - during guided installation with LUKS encryption one is not able to
> enter password longer then length of field;

Good catch!

Commit ef250707d3303d58ae00fe8f461701e7fa788d8a fixes it for the
passphrase, the root password, and user passwords.

> - in the same field password is shown during typing (lets one see bug
> above, characters typed after reaching length of field are simply
> not recorded);

This has been addressed recently:
<https://issues.guix.info/issue/35540>.

Thanks for your report!

Ludo’.


Closed
?
Your comment

Comments via the web interface are not currently supported. To comment on this conversation send email to 35716@debbugs.gnu.org

  • Ludovic Courtès
  • sirmacik
unassigned
important
Done