Results 1 to 2 of 2

Thread: kgpg editor insecure?

  1. #1

    Default kgpg editor insecure?

    I happened to run kgpg from the CLI in a konsole, and then used its editor to open an encrypted file.
    What I then noticed was that as I typed stuff in the editor, the characters were appearing in the konsole (numeric encoding)
    e.g. 65 for 'a', 66 for 'b' etc.
    They seemed to go to stderr.

    This seems a bit insecure for an application commonly used for storing stuff securely in encrypted files!

    Should I be avoiding kgpg? Are there better more secure tools for encrypting files?

  2. #2

    Default Re: kgpg editor insecure?

    Quote Originally Posted by jonb62 View Post
    I happened to run kgpg from the CLI in a konsole, and then used its editor to open an encrypted file.
    What I then noticed was that as I typed stuff in the editor, the characters were appearing in the konsole (numeric encoding)
    e.g. 65 for 'a', 66 for 'b' etc.
    They seemed to go to stderr.

    This seems a bit insecure for an application commonly used for storing stuff securely in encrypted files!

    Should I be avoiding kgpg? Are there better more secure tools for encrypting files?
    That's actually kdelibs4's fault. It contains a debug statement in ktextedit that outputs every pressed key to stderr.
    The same happens when you rename a file in dolphin e.g.

    It has been fixed recently with the following commit:
    https://quickgit.kde.org/?p=kdelibs....2e5d91c7855609

    If you think we should fix this in openSUSE 13.2 as well, please file a bug report.

    See also: https://forum.kde.org/viewtopic.php?f=223&t=127144
    Last edited by wolfi323; 18-Aug-2015 at 13:25.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •