Bug#867110: libfvde-utils: fvde utils should accept password more securely

nandhp nandhp at gmail.com
Mon Jul 3 21:12:16 UTC 2017

Package: libfvde-utils
Version: 20160918-1+b1
Severity: important

Dear Maintainer,

fvdeinfo and fvdemount only accept passwords as command-line options (-p
or -r). However, this is not an appropriate method for providing the
password, since the process command-line is visible to all users and
processes on the system. These utilities should be able to accept
passwords on STDIN.

I have marked the severity of the bug as "important" because while the
problem doesn't prevent the package from working, and it may still be
good to use in an emergency, it exposes the user's credentials in a way
that would be unacceptable on a routine basis.


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libfvde-utils depends on:
ii  libbfio1  20160108-1
ii  libc6     2.24-11+deb9u1
ii  libfuse2  2.9.7-1
ii  libfvde1  20160918-1+b1

libfvde-utils recommends no packages.

libfvde-utils suggests no packages.

-- no debconf information

More information about the forensics-devel mailing list