parcellite icon indicating copy to clipboard operation
parcellite copied to clipboard

Published 20 hours ago verified publisher icon rickyrockrat

Security issue in Parcellite <= 1.2.1

Open szpak opened this issue 2 years ago • 0 comments

TL;TR. Parcellite clipboard manager might cause your copied secrets to be stored in the plain-text form in the system logs.

Please note. This issue provides only a subset of information. The full announcement can be found here: https://blog.solidsoft.pl/2022/06/28/security-issue-in-parcellite-1.2.1/

Vulnerability

If started automatically by a .desktop file, in systemd powered environment (reproduced with Fedora), every copied text (including credentials) might be logged in a plain-text form in the system logs:

… parcellite-startup.desktop[5354]: xdotool:'/bin/sh -c ‘xdotool mousedown 2 && xdotool mouseup 2’’ … foobar parcellite-startup.desktop[5354]: text:‘xxx’

where 'xxx' can be anything copied by an user, including user’s passwords and API keys.

Affected systems/users

The issue can only affect desktop users using Parcellite 1.1.7 to 1.2.1 (1.2.2 with the fix is not yet released at the time of creating this issue) on X.Org Server (Parcellite does not work with Wayland).

Dealing with (potentially) compromised credentials

It is best to roll/change all the credentials (and other secret) copied into a clipboard when Parcellite was running. The journalctl -u -ball parcellite-startup.desktop command might be useful.

If changing the secrets is problematic or not possible (e.g. your SSN or your credit card number), it is possible to:

  • remove the affected journal files
  • rewrite the history in the affected journal files (which is not easy, but is possible)

Timeline

Originally reported in September 2021. Fixed in master in October 2021. New version with the fix - none available at the moment of creating this issue.

Check my official announcement for complete timeline.

Further actions

  1. Convince the Parcellite author to finally release 1.2.2.
  2. Notify the package maintainers to upgrade the version (or apply a patch )
  3. Request for the CVE number - it would be good to be obtained by the project author, possibly using the mechanism provided by GitHub .

Postscriptum

I realize that opening security-related issues in a public issue tracker is not the best idea and that GitHub provides a dedicated mechanism for that, however, I has been not able to convince the Parcellite maintainer to follow that way (for months).

szpak avatar Jun 28 '22 18:06 szpak