Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions
Bug #1960162 reported by
Afraz Khan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
subiquity |
Fix Released
|
Critical
|
Dan Bungert |
Bug Description
On a successful install of Ubuntu 20.04, password for the user created during installation is recorded in plaintext in Subiquity's logs in:
* subiquity-
* subiquity-
These are symlinks to the real files, but all such files (whether linked to or not) contain the information. The permissions on these files is such that all users on the system can read them (0644).
CVE References
Changed in subiquity: | |
status: | New → Incomplete |
Changed in subiquity: | |
status: | Incomplete → Confirmed |
Changed in subiquity: | |
assignee: | nobody → Dan Bungert (dbungert) |
Changed in subiquity: | |
importance: | Undecided → Critical |
information type: | Private Security → Public Security |
summary: |
- Subiquity Shows Created User Password in Plaintext with Read-all + Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions |
Changed in subiquity: | |
status: | Confirmed → Fix Committed |
Changed in subiquity: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
@Afraz, thanks for the report.
With the 20.04.3 ISO, such as can be found at /releases. ubuntu. com/focal/ ubuntu- 20.04.3- live-server- amd64.iso
https:/
I was not able to see this issue.
Cloud-init did fix an issue where the password was written out, and that fix is in 20.04.3 but not the 20.04.0 iso. /bugs.launchpad .net/cloud- init/+bug/ 1918303
https:/
Which iso did you use? If you did use 20.04.3 can you give me more detailed reproduction steps?