`assuan_release` function called from `agent_reset_daemon` in agent/command.c at line 4151 is not run on primary_ctx variable (`primary_scd_ctx` for LTS version) and thus the outbound buffer containing the PIN stays in clear in memory. The content the buffer stays in memory even after the smartcard is removed physically.
To reproduce the problem on latest GPG version (after the PIN of the dongle has been entered once):
(gdb) attach <PID>
Attaching to program: /usr/local/bin/gpg-agent, process <PID>
(gdb) b agent_cache_housekeeping
Breakpoint 1 at 0x55571151c400: file cache.c, line 278.
Thread 1 "gpg-agent" hit Breakpoint 1, agent_cache_housekeeping () at cache.c:278
278 if (DBG_CACHE)
(gdb) p daemon_global[DAEMON_SCD].primary_ctx->outbound.data.line
$9 = "D 13371337", '\000' <repeats 82 times>, "\n", '\000' <repeats 908 times>
For LTS version:
This have been tested with a Yubikey 4 dongle.