Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 613298 - app-admin/pass - `pass -c` expects just any clipboard managers to clear passwords
Summary: app-admin/pass - `pass -c` expects just any clipboard managers to clear passw...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Jason A. Donenfeld
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-20 10:17 UTC by Daniele
Modified: 2018-08-04 10:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emergeinfo.log,17.88 KB, text/plain)
2017-03-20 10:17 UTC, Daniele
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniele 2017-03-20 10:17:41 UTC
Created attachment 467644 [details]
emerge --info

Expected Behaviour:
If you use Parcellite as a clipboard manager and pass as password manager, if you use "pass -c" to temporarily copy a password in your clipboard, after 45 seconds it should get cleared from history.

Actual Behaviour:
After 45 seconds, the password gets pushed down in a lower spot in the history list and it's possible to read it and sometimes even select it to paste again.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-04-08 06:35:51 UTC
I'm going to guess parcellite is the one at fault here.
Comment 2 Daniele 2017-04-08 09:18:36 UTC
(In reply to Michał Górny from comment #1)
> I'm going to guess parcellite is the one at fault here.

I Agree on that, I think there is no option for parcellite to delete the last history entry, nor I can see an easy way to clear the full history automatically.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-08 09:26:10 UTC
The problem is the reliance on xclip. Any clipboard manager that retains a history of clipboard contents/X cut buffers makes `pass` vulnerable. I'm not even sure this is a valid security issue.