#1036655 pinentry-curses: leaks keystrokes to the shell

Package:
pinentry-curses
Source:
pinentry-curses
Description:
curses-based PIN or pass-phrase entry dialog for GnuPG
Submitter:
Martin-Éric Racine
Date:
2025-01-01 11:00:02 UTC
Severity:
normal
Tags:
#1036655#5
Date:
2023-05-23 20:51:38 UTC
From:
To:
Having just upgraded from Bullseye to Bookworm, I notice that pinentry-curses leaks keystrokes to the CLI.

1) This is a serious security issue, since the passphrase gets written to the CLI history (in my case, to .bash_history).
2) Additionally, it results in the passphrase failing to get entered. I see an "X to 3 try" warning.

Martin-Éric
#1036655#10
Date:
2024-12-31 15:54:57 UTC
From:
To:
Hello,

I just tried to reproduce this in vain:

# start new shell
bash
# exec pinentry-curses 1.2.1-1
ametzler@argenau:/tmp/PINENTRY$ /tmp/pinentty/usr/bin/pinentry-curses
OK Pleased to meet you, process 78822
getpin
D geheim
OK
bye
OK closing connection
ametzler@argenau:/tmp/PINENTRY$ exit
exit
ametzler@argenau:/tmp/PINENTRY$ tail -n2 ~/.bash_history
/tmp/pinentty/usr/bin/pinentry-curses
exit
ametzler@argenau:/tmp/PINENTRY$

cu Andreas
#1036655#15
Date:
2025-01-01 08:30:36 UTC
From:
To:
ti 31.12.2024 klo 17.55 Andreas Metzler (ametzler@bebt.de) kirjoitti:

This bug is over 1 year old. For obvious reasons, I haven't waited so
long for a solution and already resorted to other tools.

Martin-Éric
#1036655#20
Date:
2025-01-01 10:56:15 UTC
From:
To:
[...]
[...]

OK, let's close it then.

cu Andreas