Package: pinentry-qt4 Version: 0.8.3-2 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, The bug described here applies not only to the pinentry-qt4 package but also to pinentry-gtk2 package. The pinentry password dialog does not support paste in any form, as far as I can tell. Neither Ctrl-V nor Ctrl-Shift-V work, nor is pasting supported through a right-click-accessible context-specific menu. Furthermore, the documentation does not describe any support for pasting passwords from the clipboard. (In fact, it does not even explicitly state that pasting is not supported. This blanket ignoring password-pasting in the documentation makes the situation only more irritating, because the user needs to work harder to determine that a commonly expected feature is in fact not supported.) In the abscence of support for pasting the password from the clipboard, the user is forced to type the password in. This represents a security threat for two reasons: 1. typing passwords is vulnerable to keyloggers; 2. the need to type passwords encourages users to choose short, and therefore insecure, passwords. The second point above is particularly important: *pinentry forces users to adopt a highly insecure practice.* -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages pinentry-qt4 depends on: ii libc6 2.19-18+deb8u1 ii libgcc1 1:4.9.2-10 ii libncursesw5 5.9+20140913-1+b1 ii libqtcore4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 ii libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 ii libstdc++6 4.9.2-10 ii libtinfo5 5.9+20140913-1+b1 pinentry-qt4 recommends no packages. Versions of packages pinentry-qt4 suggests: ii pinentry-doc 0.8.3-2 -- no debconf information _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team