2006-08-04 08:10:55 |
hunger |
bug |
|
|
added bug |
2007-01-05 12:00:04 |
hunger |
usplash: status |
Unconfirmed |
Confirmed |
|
2007-01-05 12:00:04 |
hunger |
usplash: statusexplanation |
|
|
|
2007-06-29 18:16:03 |
Daniel Hahler |
usplash: status |
New |
Confirmed |
|
2007-06-29 18:16:03 |
Daniel Hahler |
usplash: statusexplanation |
|
Confirmed in Feisty/Edgy.
A safety workaround is to switch early to console 1 (ctrl-alt-f1), just when the keyboard is initialized: then the password won't get displayed. |
|
2007-06-29 18:16:25 |
Daniel Hahler |
usplash: status |
Confirmed |
Fix Released |
|
2007-06-29 18:16:25 |
Daniel Hahler |
usplash: statusexplanation |
This appears to be fixed in Gutsy (usplash 0.5.2): you get a password prompt through usplash |
|
|
2008-07-08 06:30:20 |
Saivann Carignan |
usplash: status |
Fix Released |
New |
|
2008-07-08 06:30:20 |
Saivann Carignan |
usplash: importance |
Undecided |
Medium |
|
2008-07-09 00:52:18 |
Saivann Carignan |
title |
[edgy] usplash prevents passwords from being not echoed on the console |
usplash prevents passwords from being not echoed on the console |
|
2008-08-30 19:52:15 |
Saivann Carignan |
usplash: status |
New |
Confirmed |
|
2008-08-30 19:52:15 |
Saivann Carignan |
usplash: importance |
Medium |
High |
|
2008-08-30 19:52:15 |
Saivann Carignan |
usplash: statusexplanation |
Daniel Hahler : I can reproduce this bug (which can be considered as a security flaw) in Hardy and Intrepid. This bug can be reproduced in these conditions :
Pre-requisites :
Having a configured cryptsetup with a luks partition and applying the patch provided in bug 139363 to re-enable cryptsetup password through usplash.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8
Result :
The password is written in plain text in the console.
Strangely, this bug can't be reproduced with LVM cryptsetup installation that comes with hardy alternate install CD. "cryptroot" which is started by initramfs is almost identical to the patch in bug 139363 but the final result differ for two things :
1. The password never appears in the console.
2. asterisks appears as you type the password, instead of appearing only once you pressed "enter"
The fact that one is started inside initramfs and that the other one is started during the init.d boot sequence seems to have an impact on this bug.
|
Since bug 139363 has been fixed, this security issue can now be reproduced in intrepid. |
|
2008-08-30 19:55:31 |
Saivann Carignan |
description |
Binary package hint: usplash
The new hires usplash causes some trouble with cryptsetup:
Cryptsetup turns of usplash. The screen turn black then (another bug). You can get your output by switching consoles back and forth.
BUT then the passphrases are echoed to the screen! |
The new hires usplash causes some trouble with cryptsetup:
Cryptsetup now uses usplash to ask the passphrase. If you switch to console 1, and then switch back to console 8, you'll see that your password was echoed in the console, in plain text.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8 |
|
2008-09-01 14:12:31 |
Reinhard Tartler |
description |
The new hires usplash causes some trouble with cryptsetup:
Cryptsetup now uses usplash to ask the passphrase. If you switch to console 1, and then switch back to console 8, you'll see that your password was echoed in the console, in plain text.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8 |
/etc/init.d/cryptdisks from the cryptsetup pacakge uses usplash to ask the passphrase. If you switch to console 1, and then switch back to console 8, you'll see that your password was echoed in the console, in plain text.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8 |
|
2008-09-01 18:26:40 |
Saivann Carignan |
bug |
|
|
assigned to cryptsetup (Ubuntu) |
2008-09-01 18:34:13 |
Saivann Carignan |
bug |
|
|
added attachment 'cryptsetup_1.0.6-6ubuntu2.debdiff' (cryptsetup_1.0.6-6ubuntu2.debdiff) |
2008-10-20 06:33:48 |
Reinhard Tartler |
cryptsetup: status |
New |
Invalid |
|
2008-10-20 06:33:48 |
Reinhard Tartler |
cryptsetup: statusexplanation |
|
after rereading the bugtrail, I don't see anything to fix here in the cryptsetup package.
intrepid ships with an askpass binary, that safly asks the password using the 'best' available means. Which includes usplash if available. |
|
2008-12-14 22:14:41 |
Saivann Carignan |
usplash: status |
Confirmed |
Won't Fix |
|
2008-12-14 22:14:41 |
Saivann Carignan |
usplash: statusexplanation |
Confirmed in Feisty/Edgy.
A safety workaround is to switch early to console 1 (ctrl-alt-f1), just when the keyboard is initialized: then the password won't get displayed. |
|
|
2009-02-18 20:11:16 |
Kees Cook |
usplash: status |
Confirmed |
Incomplete |
|
2009-02-18 20:11:16 |
Kees Cook |
usplash: importance |
High |
Medium |
|
2009-02-18 20:11:16 |
Kees Cook |
usplash: statusexplanation |
Since bug 139363 has been fixed, this security issue can now be reproduced in intrepid. |
I cannot reproduce this issue. What are the contents of your /etc/crypttab? |
|
2009-02-22 22:54:38 |
Michael Flaig |
usplash: status |
Incomplete |
Confirmed |
|
2009-02-22 22:54:38 |
Michael Flaig |
usplash: statusexplanation |
I cannot reproduce this issue. What are the contents of your /etc/crypttab? |
Setting to confirmed. This bug affects lots of people. |
|
2009-04-09 14:26:37 |
Luke |
attachment added |
|
Alternate /lib/cryptsetup/cryptdisks.functions http://launchpadlibrarian.net/25113038/cryptdisks.functions |
|
2009-04-09 23:08:39 |
Luke |
attachment added |
|
Broader patch for secure Usplash passphrase entry for both LUKS and non-LUKS mappings http://launchpadlibrarian.net/25171256/cryptdisks.functions |
|
2009-04-13 18:00:24 |
Luke |
attachment added |
|
NEW version of cryptdisks.functions :Fullly interactive yet secure http://launchpadlibrarian.net/25351102/cryptdisks.functions |
|
2009-10-20 15:41:43 |
Enno Lohmeier |
nominated for series |
|
Ubuntu Jaunty |
|
2009-10-20 15:41:43 |
Enno Lohmeier |
nominated for series |
|
Ubuntu Karmic |
|
2011-03-24 02:41:14 |
Phillip Susi |
usplash (Ubuntu): status |
Confirmed |
Invalid |
|
2011-03-24 03:28:20 |
Tonic Artos |
removed subscriber Tonic Artos |
|
|
|