ti 31.12.2024 klo 17.55 Andreas Metzler (ametz...@bebt.de) kirjoitti: > > On 2023-05-23 Martin-Éric Racine <martin-eric.rac...@iki.fi> wrote: > > Package: pinentry-curses > > Version: 1.2.1-1 > > Severity: important > > Tags: security > > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > Having just upgraded from Bullseye to Bookworm, I notice that > > pinentry-curses leaks keystrokes to the CLI. > > > 1) This is a serious security issue, since the passphrase gets written > > to the CLI history (in my case, to .bash_history). > > 2) Additionally, it results in the passphrase failing to get entered. > > I see an "X to 3 try" warning. > > Hello, > > I just tried to reproduce this in vain: > > # start new shell > bash > # exec pinentry-curses 1.2.1-1 > ametzler@argenau:/tmp/PINENTRY$ /tmp/pinentty/usr/bin/pinentry-curses > OK Pleased to meet you, process 78822 > getpin > D geheim > OK > bye > OK closing connection > ametzler@argenau:/tmp/PINENTRY$ exit > exit > ametzler@argenau:/tmp/PINENTRY$ tail -n2 ~/.bash_history > /tmp/pinentty/usr/bin/pinentry-curses > exit > ametzler@argenau:/tmp/PINENTRY$
This bug is over 1 year old. For obvious reasons, I haven't waited so long for a solution and already resorted to other tools. Martin-Éric
