Bug 1519895

Summary: LUKS passphrase in plain text included in bug report details
Product: [Fedora] Fedora Reporter: Marek Marczykowski <marmarek>
Component: anacondaAssignee: Martin Kolman <mkolman>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: anaconda-maint-list, jkonecny, jonathan, kellin, marmarek, mkolman, vanmeeuwen+fedora, vponcova, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-28.13-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1523609 (view as bug list) Environment:
Last Closed: 2018-05-07 10:41:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1523609    

Description Marek Marczykowski 2017-12-01 16:20:54 UTC 
Description of problem:

Anaconda exception handler propose to report a bug and include various details. It include, among other things, full kickstart data, including LUKS passphrase in plain text.

Version-Release number of selected component (if applicable):
anaconda-25.20.9

How reproducible:
Every time when installation fails.

Steps to Reproduce:
1. Start installation, choose to encrypt the disk, set LUKS passphrase
2. Have something that cause installation fail (for example broken media)
3. Scroll through bug report details to the kickstart data

Actual results:
LUKS passphrase is visible in plain text, on the screen, and is proposed to be included in actual bug report

Expected results:
LUKS passphrase is obfuscated or removed (like later in /root/anaconda-ks.cfg - see #868519)

Additional info:

This was originally reported for Qubes OS 4.0, which use anaconda from Fedora 25: https://groups.google.com/d/msgid/qubes-users/d18652f0-d300-4b92-99c0-a0ecedd93d11%40googlegroups.com

According to the anaconda repository state as of today, it also apply to the most recent version.
Comment 1 Martin Kolman 2017-12-04 14:10:17 UTC 
Can you specify in more detail where exactly does the plaintext LUKS passphrase show up ? In the traceback file or somewhere else ?

Also do I understand it correctly you see the plaintext of the passphrase you have interactively entered in the GUI, not a LUKS passphrase set via kickstart ?
Comment 2 Marek Marczykowski 2017-12-04 14:43:48 UTC 
(In reply to Martin Kolman from comment #1)
> Can you specify in more detail where exactly does the plaintext LUKS
> passphrase show up ? In the traceback file or somewhere else ?

Yes, in the traceback. As part of _intf.data - where full kickstart data is included:

    _intf: GraphicalUserInterface instance, containing members:
      _intf._isFinal: True
      _intf._actions: Skipped
      _intf._ui: None
      _intf.data: #version=DEVEL
    #System authorization information
    auth --enableshadow --passalgo=sha512
    (...)
    autopart --encrypted --passphrase="verystrongpass" --type=thinp
    (...)

> Also do I understand it correctly you see the plaintext of the passphrase
> you have interactively entered in the GUI, not a LUKS passphrase set via
> kickstart ?

Yes, entered interactively.
Comment 3 Martin Kolman 2017-12-04 15:08:33 UTC 
(In reply to Marek Marczykowski from comment #2)
> (In reply to Martin Kolman from comment #1)
> > Can you specify in more detail where exactly does the plaintext LUKS
> > passphrase show up ? In the traceback file or somewhere else ?
> 
> Yes, in the traceback. As part of _intf.data - where full kickstart data is
> included:
> 
>     _intf: GraphicalUserInterface instance, containing members:
>       _intf._isFinal: True
>       _intf._actions: Skipped
>       _intf._ui: None
>       _intf.data: #version=DEVEL
>     #System authorization information
>     auth --enableshadow --passalgo=sha512
>     (...)
>     autopart --encrypted --passphrase="verystrongpass" --type=thinp
>     (...)
> 
> > Also do I understand it correctly you see the plaintext of the passphrase
> > you have interactively entered in the GUI, not a LUKS passphrase set via
> > kickstart ?
> 
> Yes, entered interactively.

Thanks - that look like a bug in the traceback filtering code. IIRC there should be filters in place to both remove unnecessarily verbose stuff and sensitive items like the LUKS passphrase.
Comment 4 Marek Marczykowski 2017-12-04 21:09:40 UTC 
There is some filtering in pyanaconda/exception.py initExceptionHandling(), but it applies to whole attributes - here, the passphrase is part of _intf.data attribute which is reported as a whole string.
The easiest fix would be excluding _intf.data entirely, but that would also make bug reports slightly less informative...
Comment 5 Martin Kolman 2017-12-08 19:30:33 UTC 
(In reply to Marek Marczykowski from comment #4)
> There is some filtering in pyanaconda/exception.py initExceptionHandling(),
> but it applies to whole attributes - here, the passphrase is part of
> _intf.data attribute which is reported as a whole string.
> The easiest fix would be excluding _intf.data entirely, but that would also
> make bug reports slightly less informative...
Let's do that for now: https://github.com/rhinstaller/anaconda/pull/1263
Comment 6 Martin Kolman 2017-12-12 14:24:59 UTC 
Should be fixed once anaconda-28.13-1 hits the Rawhide compose. :)
Comment 7 Martin Kolman 2017-12-22 11:44:06 UTC 
The fix should be part of the current Rawhide nightly composes. Could you verify all is fine now ? :)
Comment 8 Fedora End Of Life 2018-02-20 15:31:45 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 9 Marek Marczykowski 2018-05-07 10:21:20 UTC 
Looks fine.
Comment 10 Jiri Konecny 2018-05-07 10:41:32 UTC 
Based on the comment 9 I'm closing this issue.