Read this story on The Register

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

Posted in Security, 31st January 2017 03:35 GMT

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

SAP pushes 25 patches and two patch patches

HANA User Self Service isn't meant to give crims self-service, but it can. And you can plug it
4 Comments

Ansible patches 'own the farm' vulnerability

Just the Facts, sysadmins
3 Comments

Homebrew crypto SNAFU on electrical grid sees GE rush patches

Updated Boffins turned up hard-coded password in ancient controllers
14 Comments

Google's PHP API client has XSS vulnerability

Patch promised
2 Comments

WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher
14 Comments

Google Cloud kicked QEMU to the kerb to harden KVM

Alphabet subsidiary decided hardware emulator that's plagued Xen had to go
6 Comments

Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

What a coincidence
23 Comments

Three Microsoft Outlook patches unpatched, users left to DIY

It's 2017 and attachments with "..." in their names caused crashes
27 Comments

Android's February fix-fest flings 58 patches

Nexus owners are sweet. The rest of us have to hope we don't get bricked by baddies
23 Comments

Debian patches plenty in new version 9.1

26 security fixes for 55 packages. You know what to do!
10 Comments