Password security bugs in LUKS configuration during guided install

DoneSubmitted by sirmacik.
Details
2 participants
  • Ludovic Courtès
  • sirmacik
Owner
unassigned
Severity
important
S
S
sirmacik wrote on 13 May 2019 17:09
Password security bugs in LUKS configuration during guided install
(address . bug-guix@gnu.org)
20190513150922.GA30339@mail.freearts.agency
Hey Guix

I've asked on IRC if those bugs were known but apparently no, so here
they are:

- during guided installation with LUKS encryption one is not able to
enter password longer then length of field;
- in the same field password is shown during typing (lets one see bug
above, characters typed after reaching length of field are simply
not recorded);

Field with conformation hides typed letters. Due to bug #1 I wasn't
able to check if it works properly.

--
sirmacik
PGP: 0xE0DC81D523891771
L
L
Ludovic Courtès wrote on 14 May 2019 00:27
control message for bug #35716
(address . control@debbugs.gnu.org)
874l5youqa.fsf@gnu.org
severity 35716 important
L
L
Ludovic Courtès wrote on 14 May 2019 11:50
(address . control@debbugs.gnu.org)
875zqd2wli.fsf@gnu.org
tags 35716 security
L
L
Ludovic Courtès wrote on 14 May 2019 12:17
Re: bug#35716: Password security bugs in LUKS configuration during guided install
(name . sirmacik)(address . sirmacik@wioo.waw.pl)(address . 35716-done@debbugs.gnu.org)
87v9yd1gsn.fsf@gnu.org
Hi sirmacik,

sirmacik <sirmacik@wioo.waw.pl> skribis:

Toggle quote (6 lines)
> I've asked on IRC if those bugs were known but apparently no, so here
> they are:
>
> - during guided installation with LUKS encryption one is not able to
> enter password longer then length of field;

Good catch!

Commit ef250707d3303d58ae00fe8f461701e7fa788d8a fixes it for the
passphrase, the root password, and user passwords.

Toggle quote (4 lines)
> - in the same field password is shown during typing (lets one see bug
> above, characters typed after reaching length of field are simply
> not recorded);

This has been addressed recently:

Thanks for your report!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 35716@debbugs.gnu.org