Bug#800772: Password leaked into process list with p7zip
Philipp Kern
pkern at debian.org
Sat Oct 3 13:06:27 UTC 2015
Package: file-roller
Version: 3.14.1-1
Severity: important
When producing an encrypted 7z archive the following leaks into ps
output:
/usr/lib/p7zip/7z a -bd -y -p<pass> -mx=7 -i@<file-list> --
<output-file>
The password should instead be passed via stdin or through some
other mechanism because this way it is leaked to other users on
the same system.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages file-roller depends on:
ii bzip2 1.0.6-7+b3
ii dconf-gsettings-backend [gsettings-backend] 0.22.0-1
ii libarchive13 3.1.2-11
ii libc6 2.19-18+deb8u1
ii libcairo2 1.14.0-2.1
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u2
ii libglib2.0-0 2.42.1-1
ii libgtk-3-0 3.14.5-1+deb8u1
ii libjson-glib-1.0-0 1.0.2-1
ii libmagic1 1:5.22+15-2
ii libnautilus-extension1a 3.14.1-2
ii libnotify4 0.7.6-2
ii libpango-1.0-0 1.36.8-3
ii nautilus-data 3.14.1-2
ii p7zip-full 9.20.1~dfsg.1-4.1+deb8u1
Versions of packages file-roller recommends:
ii gnome-icon-theme 3.12.0-1
ii gnome-icon-theme-symbolic 3.12.0-1
ii gvfs 1.22.2-1
ii unar 1.8.1-3+b1
ii yelp 3.14.1-1
Versions of packages file-roller suggests:
pn arj <none>
pn lha <none>
pn lzip <none>
ii lzma 9.22-2
ii lzop 1.03-3
pn ncompress <none>
pn rpm2cpio <none>
pn rzip <none>
ii sharutils 1:4.14-2
pn unace <none>
pn unalz <none>
ii unzip 6.0-16
ii xz-utils [lzma] 5.1.1alpha+20120614-2+b3
ii zip 3.0-8
pn zoo <none>
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list