| Bug ID | 1201962 |
|---|---|
| Summary | Bootloader password leaked into_YaST logs |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | YaST2 |
| Assignee | yast2-maintainers@suse.de |
| Reporter | ancor@suse.com |
| QA Contact | jsrain@suse.com |
| Found By | --- |
| Blocker | --- |
In yast2-bootloader (even during system installation) if the option "Protect Boot Loader with Password" is used, YaST executes the command grub2-mkpasswd-pbkdf2 to generate the hashed password. Doing so, it leaks the typed password to the YaST logs. https://github.com/yast/yast-bootloader/blob/master/src/lib/bootloader/grub2pwd.rb#L133