When using a GRUB bootloader password, the md5 hash of said password was collected and stored in the resulting archive of debugging information when running sosreport. An attacker able to access the archive could use this flaw to obtain the GRUB bootloader password.
Acknowledgements: Red Hat would like to thank Dolev Farhi of F5 Networks for reporting this issue.
This issue is a similar scenario to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2664
Created sos tracking bugs for this issue: Affects: fedora-all [bug 1101474]
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1102633#c4 for an explanation of why this is not a security issue. The sos program cannot account for every single password that might be tucked away in any given file that it attempts to collect. It makes a best-effort to scrub data, but that is in no way a guarantee and users are encouraged to look over the data that sos collects prior to sending it anywhere, and there is an explicit message to this effect when you run sos (before it collects anything). This is more of a hardening exercise than anything else. As well, an "attacker" can only benefit from the information if an authorized user makes it available to them. Statement: This bug is not a security issue. For a detailed explanation, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1101393#c5
sos-3.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.