crypt password is printed in plain text

Bug #972414 reported by Lennart Buhl
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Used Ubuntu version is Ubuntu Server 11.10 64-bit.
It's newly installed, i didn't modify anything on the kernel or initrd or such things. I created the whole disk setup with the Ubuntu Server Installer.
This is my setup: I have 4 HDDs, 3 of them are in a RAID 5. On top of the Raid, there is a cryptsetup layer. Inside of the cryptsetup is a LVM. The fourth HDD includes the encrypted operating system as well as GRUB (uncrypted /boot) and the MBR.
So at startup i am being first asked the password for my ubuntu-HDD (sdd2). A first error is, that there are asterisks for every letter I type. That's not really a disastrous bug, but should be fixed too.
But then the real bug occures, after I entered my crypt password for sdd2_crpyt, I am asked for the crpyt password for my encrypted Raid. And the whole password is printed in PLAIN TEXT! (see screenshot)
Everything works, I can boot up properly after entering the password, but it really shouldn't be printed in plain text!
If I type in some letters and then delete them with backspace, it looks like this:
Enter passphrase: asdf\fdsa/

Revision history for this message
Lennart Buhl (e95q) wrote :
visibility: private → public
Changed in cryptsetup (Ubuntu):
assignee: nobody → Lennart Buhl (e95q)
assignee: Lennart Buhl (e95q) → nobody
security vulnerability: yes → no
security vulnerability: yes → no
Revision history for this message
Lennart Buhl (e95q) wrote :

Indeed it is a security vulnerability. I recently found out that you can view the whole crypt password in tty8 after a successful boot.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cryptsetup (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.