[pkg-gnupg-maint] Bug#1036655: pinentry-curses: leaks keystrokes to the shell

Martin-Éric Racine martin-eric.racine at iki.fi
Tue May 23 21:51:38 BST 2023

Package: pinentry-curses
Version: 1.2.1-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Having just upgraded from Bullseye to Bookworm, I notice that pinentry-curses leaks keystrokes to the CLI.

1) This is a serious security issue, since the passphrase gets written to the CLI history (in my case, to .bash_history).
2) Additionally, it results in the passphrase failing to get entered. I see an "X to 3 try" warning.


-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (900, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages pinentry-curses depends on:
ii  libassuan0     2.5.5-5
ii  libc6          2.36-9
ii  libgpg-error0  1.46-1
ii  libncursesw6   6.4-4
ii  libtinfo6      6.4-4

pinentry-curses recommends no packages.

Versions of packages pinentry-curses suggests:
pn  pinentry-doc  <none>

-- no debconf information

More information about the pkg-gnupg-maint mailing list