[pkg-gnupg-maint] Bug#809682: pinentry-qt4: pinentry dialog does not support pasting from clipboard

Kynn Jones kynnjo at gmail.com
Sat Jan 2 19:50:01 UTC 2016 

Package: pinentry-qt4
Version: 0.8.3-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

The bug described here applies not only to the pinentry-qt4 package
but also to pinentry-gtk2 package.

The pinentry password dialog does not support paste in any form, as
far as I can tell.  Neither Ctrl-V nor Ctrl-Shift-V work, nor is
pasting supported through a right-click-accessible context-specific
menu.

Furthermore, the documentation does not describe any support for
pasting passwords from the clipboard.  (In fact, it does not even
explicitly state that pasting is not supported.  This blanket ignoring
password-pasting in the documentation makes the situation only more
irritating, because the user needs to work harder to determine that a
commonly expected feature is in fact not supported.)

In the abscence of support for pasting the password from the
clipboard, the user is forced to type the password in.  This
represents a security threat for two reasons:

1. typing passwords is vulnerable to keyloggers;
2. the need to type passwords encourages users to choose short, and
therefore insecure, passwords.

The second point above is particularly important: *pinentry forces
users to adopt a highly insecure practice.*



-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages pinentry-qt4 depends on:
ii  libc6         2.19-18+deb8u1
ii  libgcc1       1:4.9.2-10
ii  libncursesw5  5.9+20140913-1+b1
ii  libqtcore4    4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqtgui4     4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libstdc++6    4.9.2-10
ii  libtinfo5     5.9+20140913-1+b1

pinentry-qt4 recommends no packages.

Versions of packages pinentry-qt4 suggests:
ii  pinentry-doc  0.8.3-2

-- no debconf information

More information about the pkg-gnupg-maint mailing list