[pkg-gnupg-maint] Bug#884517: Grab option should be reverted as enabled by default

Vincent Bernat bernat at debian.org
Sat Dec 16 08:34:35 UTC 2017 

Package: gpg-agent
Version: 2.2.3-1
Severity: normal
File: /usr/bin/gpg-agent

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey!

For some reason, upstream enabled the --no-grab option when asking for
passphrase by default. I didn't find any rationale behind this change. See:
 https://github.com/gpg/gnupg/commit/3d78ae4d3de08398fabae5821045a3a1da6dadbe

I think this is a surprising change and a major security vector. It's
easy with a "follow mouse pointer" focus mode to get one password
typed in an IRC window instead. Default should be reverted to "grab".

In the meantime, I have added the "grab" option in my
~/.gnupg/gpg-agent.conf to avoid that.

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (101, 'experimental-debug'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gpg-agent depends on:
ii  gpgconf                     2.2.3-1
ii  libassuan0                  2.5.1-1
ii  libc6                       2.25-4
ii  libgcrypt20                 1.8.1-4
ii  libgpg-error0               1.27-5
ii  libnpth0                    1.5-3
ii  pinentry-curses [pinentry]  1.0.0-3
ii  pinentry-gtk2 [pinentry]    1.0.0-3

Versions of packages gpg-agent recommends:
ii  gnupg  2.2.3-1

Versions of packages gpg-agent suggests:
ii  dbus-user-session  1.12.2-1
ii  libpam-systemd     235-3
pn  pinentry-gnome3    <none>
pn  scdaemon           <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAlo02pISHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5oDQP/iXtvtEyQ5mojKL4Lbk/L/NIcH7bb1dW
VqUrjJdBwoBYJsmBFWk7LI1DZntHeNc3LFpqg88hnOFmWrEkRekuYlWpUcaFGSnE
Msrx7Gm/JrOEPPmZygZNAiLRoDYdCX60auQ9cSG942PX1W+6cRZ8HaDGuNqKv/FQ
BVQY0LbZE+qVe23FLrM4MkhDxKJZvyvHorBT5U0TDvczhRWAEkgBRJ8howO+76Ok
bNmoCd3Lht8ZLdygyouGVvcl75cTXT0L5cfobKo/7OsluSWl2uiolRpGEqkLWSHE
2zllv5IOQQoIffbetvkLHqg1LFRTLQAeOd5YksJWKN69fBnEgVV+3OzJ/f4/oLpN
dyPdFqC1d+e7e9hBTNcAAJWYXUj4klEqebFbi6vIr7WLBHGul4g3lVsgDgc3z/gy
syyqHLy3WT4pCppYwk/4O/aTKaD8aAK3V067IHva6H0k5qGfz6XMi9mlQP2uBqpJ
m0N4eMTAK+p0r2uAcAk7Lql/rMr5/QBx1EvUeFEGtyOy6/DBi7Kaa9+O2i+KkBr6
C/O4VieyDVsNJBEYxXt5LnKUw1ErsBQZ+M5mHYD6yWnGrrstwihFBEKOVS3BSRvX
7F9qEwM41K+XrBSe4VPAaIsVe9crlxcaggWW9wW3mV/kl3aRH0yLF/RUR9jTUkbe
oN4D/aAT7zhM
=p4tf
-----END PGP SIGNATURE-----

More information about the pkg-gnupg-maint mailing list