Source: grub Severity: important Tags: security
Setting a bootloader password with special chars in it (at least ":" and ")") hashed by pbkdf2 does not work. On reboot, the password is not accepted, although no errors were reported during setup process. EXAMPLE: /etc/grub.d/40_custom set superusers="user1,user2,user3" # testPassword password_pbkdf2 user1 grub.pbkdf2.sha512.10000.2ABB3F3C56A01E70191BB86E8941C37889802FD45DF66C0DC4C1B5AF5162675E944D962D27690E9417B2FD600C60EF34899B1D37C968302F0A9DB5AA92A509AA.F19BC9513049FD0BCB557C0EA22AA0B66BD703895364FD4A62E6AB528141D3B780906049B2FD1F2D86476698A3B94D58C62A23354C2A0170CFDCE93E8C557EAC # testPasswor:d password_pbkdf2 user2 grub.pbkdf2.sha512.10000.28F49DE1237C3984961855AD9AF73950C3D223B6CC0A7B1E0A43E6C032CB655F9D284A8ED5F2E431DB4B29561A19E8B3C756272FC4280F67C403E0980D7027EB.DBCAECCE38F2BFD929EC3DEFE76819BFA6877A18110F00087D4133FF65F40BF10CCC93C227EF7F37812FC5C44CC800606C5A6E2EA8B3CF72E52DB162877FD1E0 # testpasswor)d password_pbkdf2 user3 grub.pbkdf2.sha512.10000.1D57E1E0EB33DEBF78E164C08F09B53A9265CE2F5E54D9A2C66D71FED83CC3AE5647AB1ECEB93E81339FEA4205520441071D250A7512CE0E89E1C76E1FB9377B.C866414C4F6F8904AACBDEB6D7789B0775D36BE9DDF729253B0813B4266593041693C2CD5E929D8C851E832E44A8932925EAD400E4E02A6684BB73B269CE40FF export superusers While password for user1 works, passwords for users user2 and user3 do not work. This was also tested with different combinations. -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
