1519895 – LUKS passphrase in plain text included in bug report details

Bug 1519895 - LUKS passphrase in plain text included in bug report details

Summary: LUKS passphrase in plain text included in bug report details

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Martin Kolman
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1523609
TreeView+	depends on / blocked

Reported:	2017-12-01 16:20 UTC by Marek Marczykowski
Modified:	2018-05-07 10:41 UTC (History)
CC List:	9 users (show)
Fixed In Version:	anaconda-28.13-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1523609 (view as bug list)
Environment:
Last Closed:	2018-05-07 10:41:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marek Marczykowski 2017-12-01 16:20:54 UTC

Description of problem:

Anaconda exception handler propose to report a bug and include various details. It include, among other things, full kickstart data, including LUKS passphrase in plain text.

Version-Release number of selected component (if applicable):
anaconda-25.20.9

How reproducible:
Every time when installation fails.

Steps to Reproduce:
1. Start installation, choose to encrypt the disk, set LUKS passphrase
2. Have something that cause installation fail (for example broken media)
3. Scroll through bug report details to the kickstart data

Actual results:
LUKS passphrase is visible in plain text, on the screen, and is proposed to be included in actual bug report

Expected results:
LUKS passphrase is obfuscated or removed (like later in /root/anaconda-ks.cfg - see #868519)

Additional info:

This was originally reported for Qubes OS 4.0, which use anaconda from Fedora 25: https://groups.google.com/d/msgid/qubes-users/d18652f0-d300-4b92-99c0-a0ecedd93d11%40googlegroups.com

According to the anaconda repository state as of today, it also apply to the most recent version.

Comment 1 Martin Kolman 2017-12-04 14:10:17 UTC

Can you specify in more detail where exactly does the plaintext LUKS passphrase show up ? In the traceback file or somewhere else ?

Also do I understand it correctly you see the plaintext of the passphrase you have interactively entered in the GUI, not a LUKS passphrase set via kickstart ?

Comment 2 Marek Marczykowski 2017-12-04 14:43:48 UTC

(In reply to Martin Kolman from comment #1)
> Can you specify in more detail where exactly does the plaintext LUKS
> passphrase show up ? In the traceback file or somewhere else ?

Yes, in the traceback. As part of _intf.data - where full kickstart data is included:

    _intf: GraphicalUserInterface instance, containing members:
      _intf._isFinal: True
      _intf._actions: Skipped
      _intf._ui: None
      _intf.data: #version=DEVEL
    #System authorization information
    auth --enableshadow --passalgo=sha512
    (...)
    autopart --encrypted --passphrase="verystrongpass" --type=thinp
    (...)

> Also do I understand it correctly you see the plaintext of the passphrase
> you have interactively entered in the GUI, not a LUKS passphrase set via
> kickstart ?

Yes, entered interactively.

Comment 3 Martin Kolman 2017-12-04 15:08:33 UTC

(In reply to Marek Marczykowski from comment #2)
> (In reply to Martin Kolman from comment #1)
> > Can you specify in more detail where exactly does the plaintext LUKS
> > passphrase show up ? In the traceback file or somewhere else ?
> 
> Yes, in the traceback. As part of _intf.data - where full kickstart data is
> included:
> 
>     _intf: GraphicalUserInterface instance, containing members:
>       _intf._isFinal: True
>       _intf._actions: Skipped
>       _intf._ui: None
>       _intf.data: #version=DEVEL
>     #System authorization information
>     auth --enableshadow --passalgo=sha512
>     (...)
>     autopart --encrypted --passphrase="verystrongpass" --type=thinp
>     (...)
> 
> > Also do I understand it correctly you see the plaintext of the passphrase
> > you have interactively entered in the GUI, not a LUKS passphrase set via
> > kickstart ?
> 
> Yes, entered interactively.

Thanks - that look like a bug in the traceback filtering code. IIRC there should be filters in place to both remove unnecessarily verbose stuff and sensitive items like the LUKS passphrase.

Comment 4 Marek Marczykowski 2017-12-04 21:09:40 UTC

There is some filtering in pyanaconda/exception.py initExceptionHandling(), but it applies to whole attributes - here, the passphrase is part of _intf.data attribute which is reported as a whole string.
The easiest fix would be excluding _intf.data entirely, but that would also make bug reports slightly less informative...

Comment 5 Martin Kolman 2017-12-08 19:30:33 UTC

(In reply to Marek Marczykowski from comment #4)
> There is some filtering in pyanaconda/exception.py initExceptionHandling(),
> but it applies to whole attributes - here, the passphrase is part of
> _intf.data attribute which is reported as a whole string.
> The easiest fix would be excluding _intf.data entirely, but that would also
> make bug reports slightly less informative...
Let's do that for now: https://github.com/rhinstaller/anaconda/pull/1263

Comment 6 Martin Kolman 2017-12-12 14:24:59 UTC

Should be fixed once anaconda-28.13-1 hits the Rawhide compose. :)

Comment 7 Martin Kolman 2017-12-22 11:44:06 UTC

The fix should be part of the current Rawhide nightly composes. Could you verify all is fine now ? :)

Comment 8 Fedora End Of Life 2018-02-20 15:31:45 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 9 Marek Marczykowski 2018-05-07 10:21:20 UTC

Looks fine.

Comment 10 Jiri Konecny 2018-05-07 10:41:32 UTC

Based on the comment 9 I'm closing this issue.

Note You need to log in before you can comment on or make changes to this bug.