Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#54358 - Password revealed during pacman -Syy command

Attached to Project: Arch Linux
Opened by damien gorlick (damiengorlick) - Thursday, 08 June 2017, 09:13 GMT
Last edited by Evangelos Foutras (foutrelis) - Friday, 09 June 2017, 11:48 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: Password revealed during pacman -Syy command

Sorry in advance for my layout it's my first bug report

Was typing my password into my terminal syncing pacman with -Syy & entered my password after asking & something glitched, as the database was syncing my password was broken down into segments showing pieces of it at the start of each database category sync revealing my full password plus saving it in terminal history.

Additional info:
* Terminator terminal


Steps to reproduce:
Nothing was out of the ordinary aside that I entered the password in at a ridiculously fast speed. Also tried pre-entering the password beforehand, entering the pacman -Syy command then re-entering the code even though super user access was already granted, though similar, was different and did not save the full code into the terminal history.
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Friday, 09 June 2017, 11:48 GMT
Reason for closing:  Works for me
Comment by Allan McRae (Allan) - Thursday, 08 June 2017, 10:25 GMT
pacman does not ask for your password. What did?
Comment by damien gorlick (damiengorlick) - Thursday, 08 June 2017, 10:41 GMT
it's the privilege authentication program sudo 1.8.20.p2-1
Comment by Jan de Groot (JGC) - Thursday, 08 June 2017, 12:52 GMT
Don't know what you did there, but if the password appears on screen and is recorded in history, then you were not typing your password to a sudo prompt, but to the shell after pacman is done.

Comment by damien gorlick (damiengorlick) - Thursday, 08 June 2017, 12:54 GMT
Thats the first thing i thought when it happened but what bugged me was that it was in a fresh terminal window which would mean that i would be required to enter in the code.
Comment by Evangelos Foutras (foutrelis) - Friday, 09 June 2017, 11:47 GMT
I come to the same conclusion as Jan; it sounds like you typed your password while pacman was doing its thing.

You are correct that running sudo in a new terminal session would ask for your password, but perhaps it wasn't a new terminal (or it's a dropdown one that remains active all the time).

Closing this as there doesn't seem to be a bug here; file a new report if you come across any weird behavior that is reproducible.

Loading...