Bug#867110: libfvde-utils: fvde utils should accept password more securely
nandhp at gmail.com
Mon Jul 3 21:12:16 UTC 2017
fvdeinfo and fvdemount only accept passwords as command-line options (-p
or -r). However, this is not an appropriate method for providing the
password, since the process command-line is visible to all users and
processes on the system. These utilities should be able to accept
passwords on STDIN.
I have marked the severity of the bug as "important" because while the
problem doesn't prevent the package from working, and it may still be
good to use in an emergency, it exposes the user's credentials in a way
that would be unacceptable on a routine basis.
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libfvde-utils depends on:
ii libbfio1 20160108-1
ii libc6 2.24-11+deb9u1
ii libfuse2 2.9.7-1
ii libfvde1 20160918-1+b1
libfvde-utils recommends no packages.
libfvde-utils suggests no packages.
-- no debconf information
More information about the forensics-devel