Fwd: Bug#996330: wpasupplicant: wpa_supplicant logs sensitive data in cleartext

[Andrej Shadura]

Hi,

I’ve received this bug report against the Debian package for wpasupplicant.

-- 
Cheers,
  Andrej

----- Original message -----
From: Vladimir K <pzs-fs at yandex.ru>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Bug#996330: wpasupplicant: wpa_supplicant logs sensitive data in cleartext
Date: Wednesday, 13 October 2021 09:39

Package: wpasupplicant
Version: 2:2.9.0-22+b1
Severity: important

Dear Maintainer, wpa_supplicant can not use hardware token again if it was 
unplugged at some point after previous use by wpa_supplicant, requires service restart.
(other applications do not experience such problems)
The other problem is that on any error with the token it dumps pin in clear text to the log:
    
    Oct 13 10:00:22 hostname wpa_supplicant[3834594]: ENGINE: cannot load private key with id 'pkcs11:{full_pkcs11_url}?pin-value={cleartext_pin_value}' [error:8206B032:PKCS#11 module:pkcs11_find_keys:Device removed]

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (900, 'testing'), (400, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-2-amd64 (SMP w/8 CPU threads)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wpasupplicant depends on:
ii  adduser            3.118
ii  libc6              2.32-4
ii  libdbus-1-3        1.12.20-2
ii  libnl-3-200        3.4.0-1+b1
ii  libnl-genl-3-200   3.4.0-1+b1
ii  libnl-route-3-200  3.4.0-1+b1
ii  libpcsclite1       1.9.4-1
ii  libreadline8       8.1-2
ii  libssl1.1          1.1.1l-1
ii  lsb-base           11.1.0

wpasupplicant recommends no packages.

Versions of packages wpasupplicant suggests:
ii  libengine-pkcs11-openssl  0.4.11-1
ii  wpagui                    2:2.9.0-22+b1

-- no debconf information