Package: pesign / 0.112-4

tty-prompt-race.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Fix race condition in SEC_GetPassword

A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded.  This bit me when trying to drive pesign with an expect
script.

Signed-off-by: Julien Cristau <jcristau@debian.org>
---
https://github.com/rhinstaller/pesign/pull/29

--- pesign.orig/src/password.c
+++ pesign/src/password.c
@@ -69,13 +69,13 @@ static char *SEC_GetPassword(FILE *input
     char phrase[200] = {'\0'};      /* ensure EOF doesn't return junk */
 
     for (;;) {
 	/* Prompt for password */
 	if (isTTY) {
+	    echoOff(infd);
 	    fprintf(output, "%s", prompt);
             fflush (output);
-	    echoOff(infd);
 	}
 
 	fgets ( phrase, sizeof(phrase), input);
 
 	if (isTTY) {