Package: spice-client-gtk
Version: 0.38-2
Severity: normal
Tags: upstream
The spicy command (and related commands in this package) only allow scripting a
password via the
-w parameter. This means that any program that can run ps on the same system
can see the password.
This may or may not be a security issue depending on what the goals are. I
think that users who
want to script connections but not allow ps to see the password should have an
option. For an
example of how other programs do it here's an exerpt from the mysql man page:
Specifying a password on the command line should be considered
insecure. You can use
an option file to avoid giving the password on the command line.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages spice-client-gtk depends on:
ii libc6 2.30-8
ii libglib2.0-0 2.64.3-2
ii libgstreamer1.0-0 1.16.2-2
ii libgtk-3-0 3.24.20-1
ii libspice-client-glib-2.0-8 0.38-2
ii libspice-client-gtk-3.0-5 0.38-2
ii libusbredirhost1 0.8.0-1+b1
ii libusbredirparser1 0.8.0-1+b1
spice-client-gtk recommends no packages.
spice-client-gtk suggests no packages.
-- debconf-show failed
