Daniel Hahler : I can reproduce this bug (which can be considered as a
security flaw) in Hardy and Intrepid. This bug can be reproduced in
these conditions :
Pre-requisites :
Having a configured cryptsetup with a luks partition and applying the patch
provided in bug 139363 to re-enable cryptsetup password through usplash.
Steps to reproduce :
1. Reboot your computer
2. When asked by usplash, type your password, but don't press "enter" to
validate your password.
3. Switch to tty 1 with CTRL + ALT + F1
4. Switch back to the usplash tty with CTRL + ALT + F8
Result :
The password is written in plain text in the console.
Strangely, this bug can't be reproduced with LVM cryptsetup installation
that comes with hardy alternate install CD. "cryptroot" which is started
by initramfs is almost identical to the patch in bug 139363 but the
final result differ for two things :
1. The password never appears in the console.
2. asterisks appears as you type the password, instead of appearing only once
you pressed "enter"
The fact that one is started inside initramfs and that the other one is
started during the init.d boot sequence seems to have an impact on this
bug.
** Changed in: usplash (Ubuntu)
Importance: Undecided => Medium
Status: Fix Released => New
--
[edgy] usplash prevents passwords from being not echoed on the console
https://bugs.launchpad.net/bugs/55159
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
