Created attachment 917711 [details] emerge --info When creating/extracting a password protected 7z archive with app-arch/7zip, 7zz echoes the entered password in plain text: % 7zz a -p test.7z test.txt 7-Zip (z) 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:12 OPEN_MAX:1024 Scanning the drive: 1 file, 14809 bytes (15 KiB) Creating archive: test.7z Add new data to archive: 1 file, 14809 bytes (15 KiB) Enter password:echoed_password Files read from disk: 1 Archive size: 5754 bytes (6 KiB) Everything is Ok --- % 7zz x test.7z 7-Zip (z) 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:12 OPEN_MAX:1024 Scanning the drive for archives: 1 file, 5754 bytes (6 KiB) Extracting archive: test.7z -- Path = test.7z Type = 7z Physical Size = 5754 Headers Size = 154 Method = LZMA2:14 7zAES Solid = - Blocks = 1 Enter password:echoed_password Everything is Ok Size: 14809 Compressed: 5754 --- % which 7zz /usr/bin/7zz --- % qlist -Iv app-arch/7zip app-arch/7zip-24.09 --- % equery u app-arch/7zip [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for app-arch/7zip-24.09: U I - - jwasm : Use dev-lang/jwasm to include optimized code (doesn't support AES) + + rar : Enable support for non-free rar decoder - - uasm : Use dev-lang/uasm to include optimized code --- After noticing this, I eventually found the upstream issue: https://sourceforge.net/p/sevenzip/bugs/2450/ Debian is using a patch to avoid this behavior: https://salsa.debian.org/debian/7zip/-/blob/master/debian/patches/0003-Disable-local-echo-display-when-in-input-passwords-C.patch In my opinion, it wouldn't hurt if the patch was added to the relevant ebuilds as well. Echoing passwords is a terrible idea.
