Bug 1519895
Summary: | LUKS passphrase in plain text included in bug report details | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marek Marczykowski <marmarek> | |
Component: | anaconda | Assignee: | Martin Kolman <mkolman> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 28 | CC: | anaconda-maint-list, jkonecny, jonathan, kellin, marmarek, mkolman, vanmeeuwen+fedora, vponcova, wwoods | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | anaconda-28.13-1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1523609 (view as bug list) | Environment: | ||
Last Closed: | 2018-05-07 10:41:32 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1523609 |
Description
Marek Marczykowski
2017-12-01 16:20:54 UTC
Can you specify in more detail where exactly does the plaintext LUKS passphrase show up ? In the traceback file or somewhere else ? Also do I understand it correctly you see the plaintext of the passphrase you have interactively entered in the GUI, not a LUKS passphrase set via kickstart ? (In reply to Martin Kolman from comment #1) > Can you specify in more detail where exactly does the plaintext LUKS > passphrase show up ? In the traceback file or somewhere else ? Yes, in the traceback. As part of _intf.data - where full kickstart data is included: _intf: GraphicalUserInterface instance, containing members: _intf._isFinal: True _intf._actions: Skipped _intf._ui: None _intf.data: #version=DEVEL #System authorization information auth --enableshadow --passalgo=sha512 (...) autopart --encrypted --passphrase="verystrongpass" --type=thinp (...) > Also do I understand it correctly you see the plaintext of the passphrase > you have interactively entered in the GUI, not a LUKS passphrase set via > kickstart ? Yes, entered interactively. (In reply to Marek Marczykowski from comment #2) > (In reply to Martin Kolman from comment #1) > > Can you specify in more detail where exactly does the plaintext LUKS > > passphrase show up ? In the traceback file or somewhere else ? > > Yes, in the traceback. As part of _intf.data - where full kickstart data is > included: > > _intf: GraphicalUserInterface instance, containing members: > _intf._isFinal: True > _intf._actions: Skipped > _intf._ui: None > _intf.data: #version=DEVEL > #System authorization information > auth --enableshadow --passalgo=sha512 > (...) > autopart --encrypted --passphrase="verystrongpass" --type=thinp > (...) > > > Also do I understand it correctly you see the plaintext of the passphrase > > you have interactively entered in the GUI, not a LUKS passphrase set via > > kickstart ? > > Yes, entered interactively. Thanks - that look like a bug in the traceback filtering code. IIRC there should be filters in place to both remove unnecessarily verbose stuff and sensitive items like the LUKS passphrase. There is some filtering in pyanaconda/exception.py initExceptionHandling(), but it applies to whole attributes - here, the passphrase is part of _intf.data attribute which is reported as a whole string. The easiest fix would be excluding _intf.data entirely, but that would also make bug reports slightly less informative... (In reply to Marek Marczykowski from comment #4) > There is some filtering in pyanaconda/exception.py initExceptionHandling(), > but it applies to whole attributes - here, the passphrase is part of > _intf.data attribute which is reported as a whole string. > The easiest fix would be excluding _intf.data entirely, but that would also > make bug reports slightly less informative... Let's do that for now: https://github.com/rhinstaller/anaconda/pull/1263 Should be fixed once anaconda-28.13-1 hits the Rawhide compose. :) The fix should be part of the current Rawhide nightly composes. Could you verify all is fine now ? :) This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'. Looks fine. Based on the comment 9 I'm closing this issue. |