Package: clipit
Version: 1.4.2-1
Description of problem:
This clipboard manager stores history in a file in the users homedir,
~/.local/share/clipit/history however the permission on this file are
defaulted to 644 (-rw-r--r--), which means anyone on the machine can
read a users clipboard history.
If people are using password managers where it involves you copying a
password temporarily then this causes a huge security risk.
How reproducible:
Steps to Reproduce:
1. apt-get install clipit
2. Enable it and use it
3. Copy a password
4. Log in as another user
5. # strings ~foo/.local/share/clipit/history
Actual results:
Their clipboard history.
Expected results:
strings: /home/foo/.local/share/clipit/history: Permission denied
Additional info:
This is horrific in environments where there are multiple users.
Tested on: Debian Jessie (8.3)
--
Imran Hussain
https://sucs.org
