Package: pinentry-curses Version: 1.2.1-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Having just upgraded from Bullseye to Bookworm, I notice that pinentry-curses leaks keystrokes to the CLI. 1) This is a serious security issue, since the passphrase gets written to the CLI history (in my case, to .bash_history). 2) Additionally, it results in the passphrase failing to get entered. I see an "X to 3 try" warning. Martin-Éric -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (900, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages pinentry-curses depends on: ii libassuan0 2.5.5-5 ii libc6 2.36-9 ii libgpg-error0 1.46-1 ii libncursesw6 6.4-4 ii libtinfo6 6.4-4 pinentry-curses recommends no packages. Versions of packages pinentry-curses suggests: pn pinentry-doc <none> -- no debconf information
