On 2025-08-07 18:52:47 +0700, Max Nikulin wrote: > On 06/08/2025 10:18, Vincent Lefevre wrote: > > On 2025-08-06 09:33:12 +0700, Max Nikulin wrote: > > > I believe, proper tags are neither security+critical not wishlist, but > > > something in between. > > > > Note that passwords can easily be leaked. > > I see, earlier I even mentioned protocol that allows clipboard manager to > ignore text copied by password managers.
X11 selections are different from clipboard. > However I am in doubts if setting excessively high severity a few days > before release is the best way to handle the issue. Are you trying to remove > stardict packages from trixie completely? I do not think, bookworm users, > who have the application installed, will like it. AFAIK, there are tags to ignore the RC severity for the next release. The vulnerability here is important enough to justify a high severity. In particular, it should be signaled by apt-listbugs. > On 06/08/2025 09:49, Vincent Lefevre wrote: > > In my case, there is a popup, but: > > * It appears only after something is selected, so this is too late > > (it does not ask for confirmation before sending data to the > > remote servers). > > * It does not say that the selection is sent to remote servers. > > In general I agree, on the other hand I find it unlikely that user decided > to select something confidential before discovering the popup. Common sense > may suggest that application may store query history at least locally. I do > not object that the issue must be fixed, but it can be done routinely. I doubt that every user has common sense (otherwise phishing would not exist). Moreover, storing query history is a bit uncommon; for instance, dict does not, and spelling tools like ispell don't either. And storing confidential data locally is much less an issue than sending it to the network, and such data may already be present unencrypted in the local file system, so that a storage by the application would just duplicate the same data. Moreover, initially I had not thought that a query was even done: as a calendar was displayed (which is really strange for a dictionary application) and did not see anything that looked like an answer to a query, I was just thinking of some UI bug. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
