usplash echoes cryptsetup passphrase in plain text in console
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cryptsetup (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
usplash (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: usplash
Since cryptsetup 2:1.0.6-6ubuntu1 (intrepid), cryptsetup now uses usplash to ask the passphrase. If you switch to console 1, and then switch back to console 8, you'll see that your password was echoed in the console, in plain text.
Pre-requisites :
Having a configured cryptsetup with a luks partition on a up-to-date intrepid.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8
Result :
The password is written in plain text in the console tty8.
Strangely, this bug can't be reproduced with LVM cryptsetup installation that comes with hardy alternate install CD. "cryptroot" which is started by initramfs is almost identical to the init.d script.
1. The password never appears in the console.
2. asterisks appears as you type the password, instead of appearing only once you pressed "enter"
The fact that one is started inside initramfs and that the other one is started during the init.d boot sequence seems to have an impact on this bug.
description: | updated |