Package: lxqt-policykit Version: 0.14.1-1 Severity: important Tags: upstream
Dear Maintainer, the lxqtpolicykit-agent GUI has a flaw in displaying sensitive information when using U2F as an additional quth backend. Patches are available here: https://github.com/jkur/lxqt-policykit/tree/dontshowpass The point is, that the QlineEdit still knows about the password in repeated invocations and displays it as a default text. * What led up to the situation? Using the lxqt-policykit-agent with two-factor auth based on pam-u2f * What was the outcome of this action? The password is displayed in plaintext in the GUI * What outcome did you expect instead? Don't show any sensitive information -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (1001, 'stable'), (150, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxqt-policykit depends on: ii libc6 2.28-10 ii liblxqt0 0.14.1-1 ii libpolkit-qt5-1-1 0.112.0-6 ii libqt5core5a 5.11.3+dfsg1-1 ii libqt5gui5 5.11.3+dfsg1-1 ii libqt5widgets5 5.11.3+dfsg1-1 ii libstdc++6 8.3.0-6 ii lxqt-session 0.14.1-2 Versions of packages lxqt-policykit recommends: ii lxqt-policykit-l10n 0.14.1-1 Versions of packages lxqt-policykit suggests: pn lxqt | lxqt-core <none> -- no debconf information

