New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] Any password unlocks tomb when using pinentry-curses and non-empty $DISPLAY #385
Comments
|
@aaronjanse weird, can you give us the output of tomb -v |
|
|
@aaronjanse thanks! is there a nixos version we can refer to and perhaps a docker distribution of it to try reproduce? |
|
Ah, I'm having trouble finding a NixOS container that contains everything needed for tomb. Is there a known working Docker image that works for tomb that I could modify to use Nix? |
|
Maybe it is worth to look at the |
|
This is my ~/.gnupg/gpg-agent.conf: I have no ~/.gnupg/gpg.conf. |
|
Not much :D Curious |
|
Aha! I think I found it! This is only happening for
Perhaps this issue is not specific to NixOS. |
|
@Narrat Here's my patch (master...aaronjanse:security-pinentry-curses). I'm putting it here instead of a PR to decrease visibility. Note that affected Tomb users will need to use the password |
|
Awesome! please file a PR, there is no security through obscurity and no reason for us to hide bugs! This will be listed among other glitches in the history of tomb to facilitate bugtracking. Tomb may be not the best tool out there, but at least its a honest one! FTR this bug was introduced by my commit bbe9a49 in November 2014 and seems to affect installations where a X11 DISPLAY is available but only |
Thank you for this! This is why I use Tomb :-) |
|
CVE-2020-28638 appears to have been assigned for this issue. |
Thank you for this tool. I've been using it for a while, and I appreciate its straightforwardness.
I recently noticed that my tomb unlocks no matter what password is provided.
Steps to reproduce:
tombwith pinentry-curses in the $PATHtomb dig -s 100 foobartomb forge foobar.keytomb lock foobar -k foobar.keytomb open foobar -k foobar.key(!!!)My operating system is NixOS.
The text was updated successfully, but these errors were encountered: