Fwd: acroread security problem

[Pietro Cerutti]

Sorry guys,
the problem is the same with acroread standalone, not only with the plugin!


Thanx,
best regards..


---------- Forwarded message ----------
From: Pietro Cerutti <pietro.cerutti at gmail.com>
Date: 2-dic-2005 13.43
Subject: acroread security problem
To: freebsd-security at freebsd.org


Dear all,
I think there's a security problem with the acroread plugin for firefox.

I'm using sysutils/pwsafe to manage my passwords. A feature of this
tool is that it can copy the requested password to the X clipboard,
allowing the user to paste it (eg. in a password box), never seeing
the pass in clear.

When I load a PDF document in Firefox, the acroread process lives on
even after the PDF document is closed:

$ pgrep acroread
17260

and reads anything I copy in the X clipboard.

So when I use pwsafe to get a password, the pass is sent to the
acroread process:

$ pwsafe -p gmail
Going to copy password to X selection
Enter passphrase for /home/piter/.pwsafe.dat: [xxx]
You are ready to paste the password for gmail from PRIMARY and CLIPBOARD
Press any key when done
Sending password for gmail to acroread at gahr via CLIPBOARD

and this is done automatically. Note that I dind't touch any key after
writing the main password of pwsafe (noted [xxx] in the code above).

Can anyone explain this behaviour?

Thank you very much, best regards.


[list of ports installed]
www/firefox: firefox-1.5,1
www/linuxpluginwrapper: linuxpluginwrapper-20050910
print/acroread7: acroread7-7.0.1



--
Pietro Cerutti
<pietro.cerutti at gmail.com>

Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"


--
Pietro Cerutti
<pietro.cerutti at gmail.com>

Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"