[pkg-gnupg-maint] Bug#1036655: pinentry-curses: leaks keystrokes to the shell
Martin-Éric Racine
martin-eric.racine at iki.fi
Wed Jan 1 08:30:36 GMT 2025
ti 31.12.2024 klo 17.55 Andreas Metzler (ametzler at bebt.de) kirjoitti:
>
> On 2023-05-23 Martin-Éric Racine <martin-eric.racine at iki.fi> wrote:
> > Package: pinentry-curses
> > Version: 1.2.1-1
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> > Having just upgraded from Bullseye to Bookworm, I notice that
> > pinentry-curses leaks keystrokes to the CLI.
>
> > 1) This is a serious security issue, since the passphrase gets written
> > to the CLI history (in my case, to .bash_history).
> > 2) Additionally, it results in the passphrase failing to get entered.
> > I see an "X to 3 try" warning.
>
> Hello,
>
> I just tried to reproduce this in vain:
>
> # start new shell
> bash
> # exec pinentry-curses 1.2.1-1
> ametzler at argenau:/tmp/PINENTRY$ /tmp/pinentty/usr/bin/pinentry-curses
> OK Pleased to meet you, process 78822
> getpin
> D geheim
> OK
> bye
> OK closing connection
> ametzler at argenau:/tmp/PINENTRY$ exit
> exit
> ametzler at argenau:/tmp/PINENTRY$ tail -n2 ~/.bash_history
> /tmp/pinentty/usr/bin/pinentry-curses
> exit
> ametzler at argenau:/tmp/PINENTRY$
This bug is over 1 year old. For obvious reasons, I haven't waited so
long for a solution and already resorted to other tools.
Martin-Éric
More information about the pkg-gnupg-maint
mailing list