Bug 1201962 - Bootloader password leaked into_YaST logs
Bootloader password leaked into_YaST logs
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: YaST2
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: YaST Team
Jiri Srain
Depends on:
  Show dependency treegraph
Reported: 2022-07-28 14:14 UTC by Ancor Gonzalez Sosa
Modified: 2022-10-14 13:59 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
Andreas.Stieger: needinfo? (security-team)


Note You need to log in before you can comment on or make changes to this bug.
Description Ancor Gonzalez Sosa 2022-07-28 14:14:38 UTC
In yast2-bootloader (even during system installation) if the option "Protect Boot Loader with Password" is used, YaST executes the command grub2-mkpasswd-pbkdf2 to generate the hashed password. Doing so, it leaks the typed password to the YaST logs.

Comment 1 Andreas Stieger 2022-07-28 20:55:57 UTC
Looks like CWE-532 (Information Exposure Through Log Files). Similar to CVE-2012-0425 but less severe.