Merge 02efa58 into 4b41f0d

yast · Oct 6, 2022 · 7bbddfa · 7bbddfa
2 parents 4b41f0d + 02efa58
commit 7bbddfa
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/package/yast2-bootloader.changes b/package/yast2-bootloader.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Oct  5 21:35:19 UTC 2022 - Josef Reidinger <jreidinger@suse.com>
+
+- prevent leak of grub2 password to logs(bsc#1201962)
+- 4.3.32
+
 -------------------------------------------------------------------
 Thu Apr  7 13:21:58 UTC 2022 - Josef Reidinger <jreidinger@suse.com>
 

diff --git a/package/yast2-bootloader.spec b/package/yast2-bootloader.spec
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        4.3.31
+Version:        4.3.32
 Release:        0
 Summary:        YaST2 - Bootloader Configuration
 License:        GPL-2.0-or-later

diff --git a/src/lib/bootloader/grub2pwd.rb b/src/lib/bootloader/grub2pwd.rb
@@ -2,6 +2,7 @@
 
 require "yast"
 require "shellwords"
+require "yast2/execute"
 
 Yast.import "Stage"
 
@@ -130,7 +131,8 @@ def encrypt(password)
       result = Yast::Execute.locally("/usr/bin/grub2-mkpasswd-pbkdf2",
         env:    { "LANG" => "C" },
         stdin:  "#{password}\n#{password}\n",
-        stdout: :capture)
+        stdout: :capture,
+        recorder: NoStdinRecorder.new(Yast::Y2Logger.instance))
 
       pwd_line = result.split("\n").grep(/password is/).first
       if !pwd_line
@@ -143,4 +145,11 @@ def encrypt(password)
       ret
     end
   end
+
+  # Class to prevent Yast::Execute from leaking to the logs the password
+  # provided via stdin
+  class NoStdinRecorder < Cheetah::DefaultRecorder
+    # To prevent leaking stdin, just do nothing
+    def record_stdin(_stdin); end
+  end
 end