Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

44 SHARE

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

Microsoft tweaks Windows 10 on Arm64 to play nicely with KVM

Put away the glue and duct tape, and luxuriate in virtualised goodness

Git your patches here! GitHub offers to brew automatic pull requests loaded with vuln fixes

Your repo's dependencies need updating to close a hole? We're way ahead of you, pal

Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry

Patch Tuesday Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Upcoming calendar change more than Office can handle

Cisco patches IOS in response to boffins' IKE-busting breakthrough

Switchzilla issues update for authentication bypass flaw

Good news! Only half of Internet of Crap apps fumble encryption

Updated Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired

Encryption? This time it'll be usable, Thunderbird promises

A generation that tried the PGP plugin weeps

It's raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes

Updated Hefty patch Tuesday checks in at just under 100 CVEs

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first

Plug in your iPhone, iPad, iPod, fire up the App Store: You have new Apple patches to install

Open the door, get on the floor – not so fast if you've an iPhone 4