Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 825350 - app-editors/vim-8.2.3428-r1 puts junk into pinentry Passphrase window with vim-gnupg-2.7.1 plugin
Summary: app-editors/vim-8.2.3428-r1 puts junk into pinentry Passphrase window with vi...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Vim Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2021-3770, CVE-2021-3778, CVE-2021-3796
  Show dependency tree
 
Reported: 2021-11-20 20:00 UTC by Andy Figueroa
Modified: 2021-11-22 16:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info app-editors/vim attached (emergeinfovim.txt,6.47 KB, text/plain)
2021-11-20 20:00 UTC, Andy Figueroa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Figueroa 2021-11-20 20:00:17 UTC
Created attachment 754026 [details]
emerge --info app-editors/vim attached

The October 30 update to vim-8.2.3428-r1, which I use with vim-gnupg-2.7.1 from [url]https://www.vim.org/scripts/script.php?script_id=3645[/url] rather than the app-vim/gnupg that is in the tree, causes the pinentry popup to come up with Passphrase window to be populated with junk entries. If I back space out junk entries, the password will be accepted.

Trial and error shows that masking app-editors/vim-8.2.3428-r1 in /etc/portage/package.mask results in downgrade to app-editors/vim-8.2.0814-r100 which works normally with the vim-gnupg plugin and pinentry wihtout the junk artifacts as it did before.

emerge --info app-editors/vim attached.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-21 05:02:56 UTC
Thanks for the report. I think we might need to report this upstream (to vim-gnupg?). Interestingly I didn't see anything there yet and I know somebody was using vim-gnupg with the latest version fine..
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-21 05:05:09 UTC
Is 8.2.3582 any better?
Comment 3 Andy Figueroa 2021-11-21 05:25:02 UTC
I upgraded to vim and vim-core 8.2.3582 and the junk in the pinentry Passphrase window returns. Downgrade again to vim-8.2.0814-r100 and vim-core-8.2.0814 fixes the problem.
Comment 4 Andy Figueroa 2021-11-21 05:31:20 UTC
Other uses of gnupg and pinentry with vim-gnupg-2.7.1 do not result in junk in the pinentry Passphrase window. That was how I narrowed down the issue to vim. But, I did not try to revert to earlier versions vim-gnupg or pinentry. I'm using pinentry-1.2.0 and the upgrade to pinentry-1.2.0 on October 17 was apparently uneventful.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-21 05:32:30 UTC
(In reply to Andy Figueroa from comment #4)
> Other uses of gnupg and pinentry with vim-gnupg-2.7.1 do not result in junk
> in the pinentry Passphrase window. That was how I narrowed down the issue to
> vim. But, I did not try to revert to earlier versions vim-gnupg or pinentry.
> I'm using pinentry-1.2.0 and the upgrade to pinentry-1.2.0 on October 17 was
> apparently uneventful.

Thanks, I'm currently trying to dig through vim commits. Unfortunately, there's a _lot_...

If you feel bored, bisecting would be useful, but you're not obligated to do that. I'm not really a vim user so I'm just looking through commits + bugs between those versions to see what changed, but we were a bit behind, so there's a lot sadly.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-21 05:33:35 UTC
(In reply to Sam James from comment #5)
> (In reply to Andy Figueroa from comment #4)
> > Other uses of gnupg and pinentry with vim-gnupg-2.7.1 do not result in junk
> > in the pinentry Passphrase window. That was how I narrowed down the issue to
> > vim. But, I did not try to revert to earlier versions vim-gnupg or pinentry.
> > I'm using pinentry-1.2.0 and the upgrade to pinentry-1.2.0 on October 17 was
> > apparently uneventful.
> 
> Thanks, I'm currently trying to dig through vim commits. Unfortunately,
> there's a _lot_...
> 
> If you feel bored, bisecting would be useful, but you're not obligated to do
> that. I'm not really a vim user so I'm just looking through commits + bugs
> between those versions to see what changed, but we were a bit behind, so
> there's a lot sadly.

I think reporting it to vim upstream itself (https://github.com/vim/vim/issues) is probably the better option actually.
Comment 7 Andy Figueroa 2021-11-21 05:34:15 UTC
(In reply to Andy Figueroa from comment #4)
> Other uses of gnupg and pinentry with vim-gnupg-2.7.1 do not result in junk
> in the pinentry Passphrase window. That was how I narrowed down the issue to
> vim. But, I did not try to revert to earlier versions vim-gnupg or pinentry.
> I'm using pinentry-1.2.0 and the upgrade to pinentry-1.2.0 on October 17 was
> apparently uneventful.

I should not have written "vim-gnupg-2.7.1" above. That part wasn't relevant. The objective was to indicate that only use with vim results in the artefact.
Comment 8 Andy Figueroa 2021-11-21 05:38:45 UTC
(In reply to Sam James from comment #6)
> (In reply to Sam James from comment #5)
> > (In reply to Andy Figueroa from comment #4)
> > > Other uses of gnupg and pinentry with vim-gnupg-2.7.1 do not result in junk
> > > in the pinentry Passphrase window. That was how I narrowed down the issue to
> > > vim. But, I did not try to revert to earlier versions vim-gnupg or pinentry.
> > > I'm using pinentry-1.2.0 and the upgrade to pinentry-1.2.0 on October 17 was
> > > apparently uneventful.
> > 
> > Thanks, I'm currently trying to dig through vim commits. Unfortunately,
> > there's a _lot_...
> > 
> > If you feel bored, bisecting would be useful, but you're not obligated to do
> > that. I'm not really a vim user so I'm just looking through commits + bugs
> > between those versions to see what changed, but we were a bit behind, so
> > there's a lot sadly.
> 
> I think reporting it to vim upstream itself
> (https://github.com/vim/vim/issues) is probably the better option actually.

By Gentoo vim maintainers or by me?
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-22 05:52:04 UTC
(In reply to Andy Figueroa from comment #8)
> By Gentoo vim maintainers or by me?

If possible, you, just because I can't reproduce this and I wouldn't be able to offer any additional information (just relaying).
Comment 10 Andy Figueroa 2021-11-22 16:49:19 UTC
(In reply to Sam James from comment #9)
> (In reply to Andy Figueroa from comment #8)
> > By Gentoo vim maintainers or by me?
> 
> If possible, you, just because I can't reproduce this and I wouldn't be able
> to offer any additional information (just relaying).

I'll get it done.