[pkg-gnupg-maint] Bug#1036655: pinentry-curses: leaks keystrokes to the shell
Andreas Metzler
ametzler at bebt.de
Tue Dec 31 15:54:57 GMT 2024
On 2023-05-23 Martin-Éric Racine <martin-eric.racine at iki.fi> wrote:
> Package: pinentry-curses
> Version: 1.2.1-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> Having just upgraded from Bullseye to Bookworm, I notice that
> pinentry-curses leaks keystrokes to the CLI.
> 1) This is a serious security issue, since the passphrase gets written
> to the CLI history (in my case, to .bash_history).
> 2) Additionally, it results in the passphrase failing to get entered.
> I see an "X to 3 try" warning.
Hello,
I just tried to reproduce this in vain:
# start new shell
bash
# exec pinentry-curses 1.2.1-1
ametzler at argenau:/tmp/PINENTRY$ /tmp/pinentty/usr/bin/pinentry-curses
OK Pleased to meet you, process 78822
getpin
D geheim
OK
bye
OK closing connection
ametzler at argenau:/tmp/PINENTRY$ exit
exit
ametzler at argenau:/tmp/PINENTRY$ tail -n2 ~/.bash_history
/tmp/pinentty/usr/bin/pinentry-curses
exit
ametzler at argenau:/tmp/PINENTRY$
cu Andreas
More information about the pkg-gnupg-maint
mailing list