Package: pass Version: 1.7.4-7 Severity: important Tags: patch upstream Dear Maintainer,
* What led up to the situation? Using "pass" on the command line to copy a password entry to the clipboard. * What exactly did you do (or not do) that was effective (or ineffective)? $ pass -c foobar * What was the outcome of this action? Password was copied to the clipboard with following message printed to stdout: "Copied foobar to clipboard. Will clear in 45 seconds." After 45 seconds, the clipboard was not cleared, which resulted in the password remaining visible each time the clipboard window was opened (for example, to access other entries). * What outcome did you expect instead? The clipboard is properly cleared (after 45 seconds). I've already analyzed the problem in more depth and found that the root cause lies in the fact that, as of Debian Trixie, many components that were previously provided on a Qt5 basis have now been replaced by their Qt6 counterparts. In the specific case of "pass", this concerns "qdbus". For example, when selecting the KDE Plasma desktop environment during a fresh Debian Trixie installation, "qdbus6" is available (in the execution path) by default, whereas "qdbus" (from version 5) is no longer present. As a result, "pass" no longer properly performs the clipboard-clearing action. One of my usual workflows involves using Klipper to conveniently paste frequently needed content (which is exactly what this clipboard manager is intended for). After upgrading from Bookworm to Trixie, I was therefore shocked to discover, while working with a colleague on my computer, that my passwords were suddenly visible every time I opened the Klipper window via shortcut. For me, this represents a significant security risk, as I often share a computer with colleagues. Fortunately, I was able to fix the problem locally in a simple way. Since I assume that many other people will also be affected once they switch to Trixie, I wrote a small patch and created a merge request. I hope this merge request is in some way useful and can be considered for application: https://salsa.debian.org/debian/password-store/-/merge_requests/5 THX! -- System Information: Debian Release: 13.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing'), (99, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.38+deb13-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages pass depends on: ii gnupg 2.4.7-21 ii tree 2.2.1-1 Versions of packages pass recommends: ii git 1:2.47.2-0.2 ii qrencode 4.1.1-2 ii wl-clipboard 2.2.1-2 ii xclip 0.13-4 Versions of packages pass suggests: pn libxml-simple-perl <none> ii perl 5.40.1-5 pn python <none> ii python3 3.13.5-1 pn ruby <none> -- no debconf information
