[pkg-gnupg-maint] Bug#801757: Pinentry displays password while typing
Klaus Ethgen
Klaus at Ethgen.de
Fri Oct 16 08:31:24 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor:
> On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote:
> > Package: pinentry-gtk2
> > Version: 0.9.6-2
>
> > In newest version, pinentry is displaying password when typing. (It is
> > displaying the last letter but a observer can easily read the password.)
>
> i'm not seeing this behavior at all. I'm using pinentry-gtk2 0.9.6-2,
> and libgtk2.0-0 2.24.28-1, just like you are. The password entry field
> i see is just dots, no characters.
>
> Could you try to reproduce it simply and help me to reproduce it?
>
> To start with, can you reproduce it from the command line, by invoking
> "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet
> you", type "GETPIN" and hit enter.
>
> Does the prompting still show the text for you?
Yes, it does.
> > Please revert that recent change back to the secure way of just
> > displaying dots.
>
> I'm unaware of such a change, please help me track it down! :)
>
> the main recent change is that pinentry now relies on the underlying
> toolkit's password-entry widget. is it possible that you have some
> unusual settings for your gtk.Entry widgets in general when they're in
> password mode?
>
> can you try it from a new/clean user account on your machine? can you
> try it from another machine with the same version installed?
Yes, the same. I created a completely fresh user and seen the same
result. And I have the same on all of my machines that run debian sid.
(I have no desktop not running sid but the problem just occurred
recently.)
And I heard from others that they also experienced that problem.
Maybe that gtk.Entry stuff is not secure to use. I am not aware what
exactly the recent change did.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJWILXXAAoJEKZ8CrGAGfasM+AL/2LsHpD6Q7U3l/rGwwnUWNWA
3xzTvdZLDpN9I0FSllfs7RenS4BYrlsxCagCpqkFwcTZw5EPJpoNDYs5p5XKcA8k
zJl3pbi+rN2FWmMQJM1U6u8k7eWFQxNx6AMrXvvac+uENRw/qUBFSQlHa03NzReB
OObAoY/VFkW3FWwhSTOasW5YMUg+VIuJ2Yh5NQhseb7BIXNZqVw8k0A1jGeCXiBS
XKTu2+gZIiUhw3YCuoR9LYNkJqx7NdqyvM89eqeJ1CQeqScgc0+ncImcpCZzgMTK
k7cXzqIBDj62rqwF270PAErQo1UIlD7iaVQMU2g+yKdq98d7dspfGEDkolsJU2ag
Dh4Y20iIhpiQP/rzpDkV0NLgRmLuwukpknF2a9ENasWFh11cniHaRsn1rCEeSy4P
LeWQXIcg6YThAe4fW2GQzkF0DWBnCacxOIbRe3SfdUFE/Ji+2UdqfVfNucjktX4q
AHkGIHil1Is3/sEY4Nw6Eg9HAdyuCLuN0NQCCIkbow==
=+T3F
-----END PGP SIGNATURE-----
More information about the pkg-gnupg-maint
mailing list