| Summary: | app-admin/pass - `pass -c` expects just any clipboard managers to clear passwords | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Daniele <dpenazzo91> |
| Component: | Current packages | Assignee: | Jason A. Donenfeld <zx2c4> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | CC: | bertrand |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | emerge --info | ||
I'm going to guess parcellite is the one at fault here. (In reply to Michał Górny from comment #1) > I'm going to guess parcellite is the one at fault here. I Agree on that, I think there is no option for parcellite to delete the last history entry, nor I can see an easy way to clear the full history automatically. The problem is the reliance on xclip. Any clipboard manager that retains a history of clipboard contents/X cut buffers makes `pass` vulnerable. I'm not even sure this is a valid security issue. |
Created attachment 467644 [details] emerge --info Expected Behaviour: If you use Parcellite as a clipboard manager and pass as password manager, if you use "pass -c" to temporarily copy a password in your clipboard, after 45 seconds it should get cleared from history. Actual Behaviour: After 45 seconds, the password gets pushed down in a lower spot in the history list and it's possible to read it and sometimes even select it to paste again.