[pkg-gnupg-maint] Bug#1036655: pinentry-curses: leaks keystrokes to the shell
Martin-Éric Racine
martin-eric.racine at iki.fi
Tue May 23 21:51:38 BST 2023
Package: pinentry-curses
Version: 1.2.1-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Having just upgraded from Bullseye to Bookworm, I notice that pinentry-curses leaks keystrokes to the CLI.
1) This is a serious security issue, since the passphrase gets written to the CLI history (in my case, to .bash_history).
2) Additionally, it results in the passphrase failing to get entered. I see an "X to 3 try" warning.
Martin-Éric
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (900, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages pinentry-curses depends on:
ii libassuan0 2.5.5-5
ii libc6 2.36-9
ii libgpg-error0 1.46-1
ii libncursesw6 6.4-4
ii libtinfo6 6.4-4
pinentry-curses recommends no packages.
Versions of packages pinentry-curses suggests:
pn pinentry-doc <none>
-- no debconf information
More information about the pkg-gnupg-maint
mailing list