Bug 31818 - parcellite new security issue fixed upstream in 1.2.2
Summary: parcellite new security issue fixed upstream in 1.2.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-04-20 17:23 CEST by David Walser
Modified: 2023-05-06 20:20 CEST (History)
5 users (show)

See Also:
Source RPM: parcellite-1.2.1-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-20 17:23:38 CEST 
Fedora has issued an advisory today (April 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVPMZCHBXJ7JLXD22ZOU4FXBPHM6MRB7/

An unspecified security issue was fixed upstream in 1.2.2.
Comment 1 Lewis Smith 2023-04-20 21:42:01 CEST 
Cannot see this for M9, nor the M8 SRPM maintenance list; so no idea who normally maintains this, hence assigning it globally.

Status comment: (none) => fixed upstream in 1.2.2
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-04-21 10:04:17 CEST 
For Mga9, parcellite was removed and replaced by clipit.

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Parcellite clipboard manager might cause your copied secrets to be stored in the plain-text form in the system logs.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVPMZCHBXJ7JLXD22ZOU4FXBPHM6MRB7/
https://github.com/rickyrockrat/parcellite/issues/79
========================

Updated package in core/updates_testing:
========================
parcellite-1.2.1-3.1.mga8

from SRPM:
parcellite-1.2.1-3.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Status comment: fixed upstream in 1.2.2 => (none)

Comment 3 Herman Viaene 2023-04-24 16:16:14 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Found previous bug 16279, and some text on its sourceforge page. But I still haven't a clue what this really does.
I did a "copy" operation of one file in caja, run parcellite and see in its Edit option, the name of the file. I caan edit that name to the name of anotheer file in the same folder, but then pasting still pasts the first file. Beats me .....

CC: (none) => herman.viaene

Comment 4 Nicolas Salguero 2023-04-25 09:02:20 CEST 
Hi,

parcellite is a software that keeps an history of what you copy, like Klipper for Plasma, for instance.

I use it everyday and, for me, its best usage is with text: with it, I am able to copy several texts once and, then, paste all of them, in the order I want.

Best regards,

Nico.
Comment 5 Herman Viaene 2023-04-26 11:13:25 CEST 
I still don't get it. If I select some text with Ctr-C, copy a second text with Ctr-C and then go to the panel and click on the "P" I get the first and second selected text, but when I open "Edit clipboard" I see only the second selected text. And I can only paste the second.
Is that expected behavior????
Comment 6 Nicolas Salguero 2023-04-26 11:54:16 CEST 
Yes it is: the text which you can paste is the one at the top of the history.

So, to paste the first selected text, you need to left click on it to put it at the top of the history.
Comment 7 Herman Viaene 2023-04-26 11:57:51 CEST 
OK, fine then as it is.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2023-04-26 15:20:31 CEST 
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-05-06 18:22:42 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2023-05-06 20:20:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0162.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.