Fwd: acroread security problem



Sorry guys,
the problem is the same with acroread standalone, not only with the plugin!


Thanx,
best regards..


---------- Forwarded message ----------
From: Pietro Cerutti <pietro.cerutti@xxxxxxxxx>
Date: 2-dic-2005 13.43
Subject: acroread security problem
To: freebsd-security@xxxxxxxxxxx


Dear all,
I think there's a security problem with the acroread plugin for firefox.

I'm using sysutils/pwsafe to manage my passwords. A feature of this
tool is that it can copy the requested password to the X clipboard,
allowing the user to paste it (eg. in a password box), never seeing
the pass in clear.

When I load a PDF document in Firefox, the acroread process lives on
even after the PDF document is closed:

$ pgrep acroread
17260

and reads anything I copy in the X clipboard.

So when I use pwsafe to get a password, the pass is sent to the
acroread process:

$ pwsafe -p gmail
Going to copy password to X selection
Enter passphrase for /home/piter/.pwsafe.dat: [xxx]
You are ready to paste the password for gmail from PRIMARY and CLIPBOARD
Press any key when done
Sending password for gmail to acroread@gahr via CLIPBOARD

and this is done automatically. Note that I dind't touch any key after
writing the main password of pwsafe (noted [xxx] in the code above).

Can anyone explain this behaviour?

Thank you very much, best regards.


[list of ports installed]
www/firefox: firefox-1.5,1
www/linuxpluginwrapper: linuxpluginwrapper-20050910
print/acroread7: acroread7-7.0.1



--
Pietro Cerutti
<pietro.cerutti@xxxxxxxxx>

Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"


--
Pietro Cerutti
<pietro.cerutti@xxxxxxxxx>

Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • acroread security problem
    ... I think there's a security problem with the acroread plugin for firefox. ... and reads anything I copy in the X clipboard. ... You are ready to paste the password for gmail from PRIMARY and CLIPBOARD ...
    (FreeBSD-Security)
  • Re: [opensuse] Basic clipboard question
    ... On Thursday 04 September 2008 08:29, Greg Freemyer wrote: ... For some reason the clipboard is ignoring my acroread cntr-c ... Instead the clipboard is retaining data placed into it via oowriter. ...
    (SuSE)
  • SUSE 10.0/OOwriter 2.0" "Requested clipboard format is not available"
    ... when I do a cut in acroread 7.0, ... I get this error message. ... "Requested clipboard format is not available ... Note when I use kpdf the cut and paset just works... ...
    (alt.os.linux.suse)
  • Re: [opensuse] Basic clipboard question
    ... > acroread back into the original via oowriter. ... > Instead the clipboard is retaining data placed into it via oowriter. ... major usability bug. ...
    (SuSE)