Bug#801757: Pinentry displays password while typing

2015-10-16 Thread Klaus Ethgen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

After finding the setting that is the real source of the problem, I
tracked that file down. I took it very long ago from a existing debian
system and tweaked the parameter about gtk-recent-files-enabled and one
or the other. Unfortunately the change in pinentry that caused the
problem was unseen.

As I expect that the change will be kept, I propose a warning in NEWS
file about it so admins are aware of maybe upcoming problems.

Other solution would, of course, be to revert that change.

Regards
   Klaus

Ps. Forgotten Cc to bts
- -- 
Klaus Ethgen  http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQGcBAEBCgAGBQJWIMlnAAoJEKZ8CrGAGfasByEMAJYKiSoerQFJ26Ee3sKfBWGK
dHp1xMvyCszR/42AlyPqq+B+bNAEz0Puthfi1RyG0QDTTaYUFQ2X5Zw8k8ZIkFE8
+Kc/qPMIBLWQnH+q3EaOdF1350/Wb+Rq9UoANBC/0MpXFeGL1TR5/zyteB54du35
tWQc3NIQmbBzMIWYxqsxnCotqi5NjotZyIY/5v0GgvQTE1NoFXz7zodfBaBzCjDR
vAW4DkKhGv9rTUsiGJ/Xg3RB64vTsGNxaQi13uYLsa652swLHrLQFgLJ1D0ZTHq1
We5a7iIZRPG/WUcAVEkq3gRDZbuJ2BF0ji107hKpVIGRW/nf8YVtxtDZ9dfzicS+
SIEyJsU8VcuuTxPU1Lj1BJfOCQsSok1iO83PXca0RzTDfvjfpaUGigA2/PWmTV+C
th1yC5aYGap+B0kk1/aZMg9Ut1dWueIAZKXdkoyVEm4oGXUaIsaW7knMFaJZEdj3
Wt+3frzrGFBl6eugtw8CFC6XJyzRZJzX7yufpSDEZQ==
=7QX3
-END PGP SIGNATURE-

Bug#801757: Pinentry displays password while typing

2015-10-16 Thread Axel Beckert 
Hi,

Daniel Kahn Gillmor wrote:
> > In newest version, pinentry is displaying password when typing. (It is
> > displaying the last letter but a observer can easily read the password.)
> 
> i'm not seeing this behavior at all.  I'm using pinentry-gtk2 0.9.6-2,
> and libgtk2.0-0 2.24.28-1, just like you are.  The password entry field
> i see is just dots, no characters.

JFTR: I can't reproduce it either, running pinentry-gtk-2 on Sid (same
versions as above) amd64 Xen VM via SSH X forwarding to a Jessie amd64
box.

> To start with, can you reproduce it from the command line, by invoking
> "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet
> you", type "GETPIN" and hit enter.

Thanks for that howto! Tried to figure that out myself, but didn't
find the proper documentation. (Didn't look for long either, though.)

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#801757: Pinentry displays password while typing

2015-10-16 Thread Klaus Ethgen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor:
> On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote:
> > Package: pinentry-gtk2
> > Version: 0.9.6-2
> 
> > In newest version, pinentry is displaying password when typing. (It is
> > displaying the last letter but a observer can easily read the password.)
> 
> i'm not seeing this behavior at all.  I'm using pinentry-gtk2 0.9.6-2,
> and libgtk2.0-0 2.24.28-1, just like you are.  The password entry field
> i see is just dots, no characters.
> 
> Could you try to reproduce it simply and help me to reproduce it?
> 
> To start with, can you reproduce it from the command line, by invoking
> "pinentry-gtk-2" directly, and then after it says "OK Pleased to meet
> you", type "GETPIN" and hit enter.
> 
> Does the prompting still show the text for you?

Yes, it does.

> > Please revert that recent change back to the secure way of just
> > displaying dots.
> 
> I'm unaware of such a change, please help me track it down! :)
> 
> the main recent change is that pinentry now relies on the underlying
> toolkit's password-entry widget.  is it possible that you have some
> unusual settings for your gtk.Entry widgets in general when they're in
> password mode?
> 
> can you try it from a new/clean user account on your machine?  can you
> try it from another machine with the same version installed?

Yes, the same. I created a completely fresh user and seen the same
result. And I have the same on all of my machines that run debian sid.
(I have no desktop not running sid but the problem just occurred
recently.)

And I heard from others that they also experienced that problem.

Maybe that gtk.Entry stuff is not secure to use. I am not aware what
exactly the recent change did.

Regards
   Klaus
- -- 
Klaus Ethgen  http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQGcBAEBCgAGBQJWILXXAAoJEKZ8CrGAGfasM+AL/2LsHpD6Q7U3l/rGwwnUWNWA
3xzTvdZLDpN9I0FSllfs7RenS4BYrlsxCagCpqkFwcTZw5EPJpoNDYs5p5XKcA8k
zJl3pbi+rN2FWmMQJM1U6u8k7eWFQxNx6AMrXvvac+uENRw/qUBFSQlHa03NzReB
OObAoY/VFkW3FWwhSTOasW5YMUg+VIuJ2Yh5NQhseb7BIXNZqVw8k0A1jGeCXiBS
XKTu2+gZIiUhw3YCuoR9LYNkJqx7NdqyvM89eqeJ1CQeqScgc0+ncImcpCZzgMTK
k7cXzqIBDj62rqwF270PAErQo1UIlD7iaVQMU2g+yKdq98d7dspfGEDkolsJU2ag
Dh4Y20iIhpiQP/rzpDkV0NLgRmLuwukpknF2a9ENasWFh11cniHaRsn1rCEeSy4P
LeWQXIcg6YThAe4fW2GQzkF0DWBnCacxOIbRe3SfdUFE/Ji+2UdqfVfNucjktX4q
AHkGIHil1Is3/sEY4Nw6Eg9HAdyuCLuN0NQCCIkbow==
=+T3F
-END PGP SIGNATURE-

Bug#801757: Pinentry displays password while typing

2015-10-16 Thread Klaus Ethgen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Am Do den 15. Okt 2015 um 21:56 schrieb Daniel Kahn Gillmor:
> I'm unaware of such a change, please help me track it down! :)
> 
> the main recent change is that pinentry now relies on the underlying
> toolkit's password-entry widget.  is it possible that you have some
> unusual settings for your gtk.Entry widgets in general when they're in
> password mode?

Exactly that is the case. For some reasons I have /etc/gtk-2.0/gtkrc
with "gtk-entry-password-hint-timeout = 600". After removing that it is
fine.

I usually do not use gnome stuff for high secure stuff so that was fine
until now. But with the change of pinentry to use that widget, there is
a big problem with that.

FYI, my current content of that file:
   gtk-key-theme-name = "Emacs"
   gtk-can-change-accels = 1
   gtk-entry-select-on-focus = 0
   gtk-entry-password-hint-timeout = 600
   gtk-recent-files-enabled = 0

I'm still not sure if a switch to that widget is the best move.

Regards
   Klaus
- -- 
Klaus Ethgen  http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQGcBAEBCgAGBQJWIMXUAAoJEKZ8CrGAGfaszzQL/jbm8RXC48sfXLKlAJl1OnWf
Zmh+xcNlQLdifNmFIQNcgLJm4jegwVmF+7J0odB149d0pfgIo2c/A/JIsJodvUu/
4yu+M2DKfIIClF/O8Rye+KT0bHdG+vJrtyBS6XJg/rVAGFNjQJPWxTSF8r2Da02y
RRmAz37W+f7f9TqesdQ8MB32sMdozgaXMiRODshGYTfAe5cWHN2DW7SmTeUalgfl
5IOlEyghc7K0NQ1XFGMxfO9Ubi2RMRPXGOxvDgiDU2jR2Q2A0m0M9XeBTOpvDaHM
LtRdUeuokULzWbw8JFNdpifymAF2iG4w7Yl486vZa5gutkXtC9hBM6/2YCLugODs
YuGSCmFxkv3nodxhI7ziRp4s1CWHMo7D81sQkdqLc3XbYj/A6VhDLsKO3Zy8C+bC
9HoSHJFFv1wVVGu/+Xvh6ewx/+7prXfkgHsIMNONaMWPoyqJp0e11ccvAyA6JUXl
bATbikEFPNQ6I8kRB3QspaExP+a7Hzzm8SvZpCsS3Q==
=1sUa
-END PGP SIGNATURE-

Bug#801757: Pinentry displays password while typing

2015-10-15 Thread Daniel Kahn Gillmor 
Control: tags 801757 + moreinfo unreproducible

On Wed 2015-10-14 05:14:11 -0400, Klaus Ethgen wrote:
> Package: pinentry-gtk2
> Version: 0.9.6-2

> In newest version, pinentry is displaying password when typing. (It is
> displaying the last letter but a observer can easily read the password.)

i'm not seeing this behavior at all.  I'm using pinentry-gtk2 0.9.6-2,
and libgtk2.0-0 2.24.28-1, just like you are.  The password entry field
i see is just dots, no characters.

Could you try to reproduce it simply and help me to reproduce it?

To start with, can you reproduce it from the command line, by invoking
"pinentry-gtk-2" directly, and then after it says "OK Pleased to meet
you", type "GETPIN" and hit enter.

Does the prompting still show the text for you?

> Please revert that recent change back to the secure way of just
> displaying dots.

I'm unaware of such a change, please help me track it down! :)

the main recent change is that pinentry now relies on the underlying
toolkit's password-entry widget.  is it possible that you have some
unusual settings for your gtk.Entry widgets in general when they're in
password mode?

can you try it from a new/clean user account on your machine?  can you
try it from another machine with the same version installed?

Thanks for reporting the issue!

--dkg

Bug#801757: Pinentry displays password while typing

2015-10-14 Thread Klaus Ethgen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: pinentry-gtk2
Version: 0.9.6-2
Severity: grave

In newest version, pinentry is displaying password when typing. (It is
displaying the last letter but a observer can easily read the password.)

That is a big security issue that renders pinentry completely unusable in
any environment where one is not alone sitting in a dark cabin. When
working in a big office, that is insane!

Please revert that recent change back to the secure way of just
displaying dots.

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (800, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.7 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to 
de_DE)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages pinentry-gtk2 depends on:
ii  libassuan0 2.3.0-1
ii  libc6  2.19-22
ii  libglib2.0-0   2.46.0-2
ii  libgpg-error0  1.20-1
ii  libgtk2.0-02.24.28-1
ii  libncursesw5   6.0+20150810-1
ii  libsecret-1-0  0.18.3-1
ii  libtinfo5  6.0+20150810-1

pinentry-gtk2 recommends no packages.

Versions of packages pinentry-gtk2 suggests:
ii  pinentry-doc  0.9.6-2

- -- no debconf information

- -- 
Klaus Ethgen  http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQGcBAEBCgAGBQJWHhzaAAoJEKZ8CrGAGfasJo0L/jH9Uf5x+qUagHhM0noEAu7r
eOZbe6oEGiPZEIdnQW6F+ndCYW35V57dm0H/X5aHIbBzmJ7e2vR6LCnfmMjQnbT3
FW4WiBU1t2D/8yucUD+PdlbqdKJoCjfW23SRvlL1d0/wa/Qb++rdkJyZqIYgWEjH
7OzY1uLlMJo0bTCYRwq2U+0h3Nj024oSktxpi84L8FZjy8kpfbEDClkT4fRUeDKq
ly/O7DsEPB3jUBGD8uUvoQZvoDj4eyGe5lTfb0gFLhuq4WrJVKN+r0p0Ysd0FVsE
xqeiicvZDVxXtIDYWG7XbL9FQ8hTOAdXKkuAFyOWF/PTv9fkQ+fviSSruxS6Urck
oVYOGKYnDp83KxFBUR5iCV9NqtUW6WBXHQS47irvF7eR/i+eJE1NR3zj1lT5VY/z
1BrAbXT5KbUG1Lb1UAl7+fHiPh9mvOv1Mr5jPvL8EtpI5Lhx298bZMKxErqu5yMA
nj7gekhyrVG6n9cDBR0Dn3lcaTAWdDo6s5p1hTFaAA==
=w367
-END PGP SIGNATURE-