Package: file-roller Version: 3.14.1-1 Severity: important When producing an encrypted 7z archive the following leaks into ps output:
/usr/lib/p7zip/7z a -bd -y -p<pass> -mx=7 -i@<file-list> -- <output-file> The password should instead be passed via stdin or through some other mechanism because this way it is leaked to other users on the same system. -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages file-roller depends on: ii bzip2 1.0.6-7+b3 ii dconf-gsettings-backend [gsettings-backend] 0.22.0-1 ii libarchive13 3.1.2-11 ii libc6 2.19-18+deb8u1 ii libcairo2 1.14.0-2.1 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u2 ii libglib2.0-0 2.42.1-1 ii libgtk-3-0 3.14.5-1+deb8u1 ii libjson-glib-1.0-0 1.0.2-1 ii libmagic1 1:5.22+15-2 ii libnautilus-extension1a 3.14.1-2 ii libnotify4 0.7.6-2 ii libpango-1.0-0 1.36.8-3 ii nautilus-data 3.14.1-2 ii p7zip-full 9.20.1~dfsg.1-4.1+deb8u1 Versions of packages file-roller recommends: ii gnome-icon-theme 3.12.0-1 ii gnome-icon-theme-symbolic 3.12.0-1 ii gvfs 1.22.2-1 ii unar 1.8.1-3+b1 ii yelp 3.14.1-1 Versions of packages file-roller suggests: pn arj <none> pn lha <none> pn lzip <none> ii lzma 9.22-2 ii lzop 1.03-3 pn ncompress <none> pn rpm2cpio <none> pn rzip <none> ii sharutils 1:4.14-2 pn unace <none> pn unalz <none> ii unzip 6.0-16 ii xz-utils [lzma] 5.1.1alpha+20120614-2+b3 ii zip 3.0-8 pn zoo <none> -- no debconf information