On 2023-05-23 Martin-Éric Racine <martin-eric.rac...@iki.fi> wrote: > Package: pinentry-curses > Version: 1.2.1-1 > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> Having just upgraded from Bullseye to Bookworm, I notice that > pinentry-curses leaks keystrokes to the CLI. > 1) This is a serious security issue, since the passphrase gets written > to the CLI history (in my case, to .bash_history). > 2) Additionally, it results in the passphrase failing to get entered. > I see an "X to 3 try" warning. Hello, I just tried to reproduce this in vain: # start new shell bash # exec pinentry-curses 1.2.1-1 ametzler@argenau:/tmp/PINENTRY$ /tmp/pinentty/usr/bin/pinentry-curses OK Pleased to meet you, process 78822 getpin D geheim OK bye OK closing connection ametzler@argenau:/tmp/PINENTRY$ exit exit ametzler@argenau:/tmp/PINENTRY$ tail -n2 ~/.bash_history /tmp/pinentty/usr/bin/pinentry-curses exit ametzler@argenau:/tmp/PINENTRY$ cu Andreas
