Bug 1201962 - Bootloader password leaked into_YaST logs
Bootloader password leaked into_YaST logs
Status: CONFIRMED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: YaST2
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: YaST Team
Jiri Srain
https://trello.com/c/wUIl9Uda
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-28 14:14 UTC by Ancor Gonzalez Sosa
Modified: 2022-10-14 13:59 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
Andreas.Stieger: needinfo? (security-team)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ancor Gonzalez Sosa 2022-07-28 14:14:38 UTC
In yast2-bootloader (even during system installation) if the option "Protect Boot Loader with Password" is used, YaST executes the command grub2-mkpasswd-pbkdf2 to generate the hashed password. Doing so, it leaks the typed password to the YaST logs.

https://github.com/yast/yast-bootloader/blob/master/src/lib/bootloader/grub2pwd.rb#L133
Comment 1 Andreas Stieger 2022-07-28 20:55:57 UTC
Looks like CWE-532 (Information Exposure Through Log Files). Similar to CVE-2012-0425 but less severe.