From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63696
Path: news.gmane.org!not-for-mail
From: Florian Weimer <fw@deneb.enyo.de>
Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Wed, 06 Sep 2006 22:11:37 +0200
Message-ID: <87ac5coiva.fsf@mid.deneb.enyo.de>
References: <b4maca88q6i.fsf@jpl.org>
	<def1aabc-69b9-4b1d-bb84-e65c63540eac@well-done.deisui.org>
	<b4mmze82cse.fsf@jpl.org> <b4mwtdbfqob.fsf@jpl.org>
	<9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org>
	<b4mpsj3gw1s.fsf@jpl.org> <b4my7xrfg5o.fsf@jpl.org>
	<4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org>
	<87fyjz2gaj.fsf@pacem.orebokech.com>
	<v9iroj49cz.fsf@marauder.physik.uni-ulm.de>
	<v9mz9itt6y.fsf_-_@marauder.physik.uni-ulm.de>
	<87ac5gnccs.fsf@mid.deneb.enyo.de>
	<e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org>
	<E1GKXSp-0002f5-Gr@fencepost.gnu.org>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1157573543 31432 80.91.229.2 (6 Sep 2006 20:12:23 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Wed, 6 Sep 2006 20:12:23 +0000 (UTC)
Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de,
	Daiki Ueno <ueno@unixuser.org>, ding@gnus.org,
	emacs-devel@gnu.org, jas@extundo.com
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 06 22:12:17 2006
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1GL3ko-0003vG-2b
	for ged-emacs-devel@m.gmane.org; Wed, 06 Sep 2006 22:12:10 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1GL3kn-0006Jb-HB
	for ged-emacs-devel@m.gmane.org; Wed, 06 Sep 2006 16:12:09 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1GL3kd-0006JU-02
	for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:59 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1GL3ka-0006JI-9b
	for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:57 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1GL3ka-0006JF-4G
	for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:56 -0400
Original-Received: from [212.9.189.167] (helo=mail.enyo.de)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.52) id 1GL3km-0002lv-FZ; Wed, 06 Sep 2006 16:12:08 -0400
Original-Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
	by mail.enyo.de with esmtp id 1GL3kV-0002d8-6N;
	Wed, 06 Sep 2006 22:11:51 +0200
Original-Received: from fw by deneb.enyo.de with local (Exim 4.63)
	(envelope-from <fw@deneb.enyo.de>)
	id 1GL3kH-0000ji-Gw; Wed, 06 Sep 2006 22:11:37 +0200
Original-To: rms@gnu.org
In-Reply-To: <E1GKXSp-0002f5-Gr@fencepost.gnu.org> (Richard Stallman's message
	of "Tue, 05 Sep 2006 05:43:27 -0400")
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:59475 gmane.emacs.gnus.general:63696
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/63696>

* Richard Stallman:

>     It would probably be fairly simple to change the implementation to
>     unlink the temp file _before_ writing the contents and pass only the
>     still-open file-descriptor (after rewinding) to Fcall_process (or
>     rather, to some common subroutine derived from Fcall_process).
>
> We would have to unlink the file before writing the contents into it.

This doesn't achieve much, I'm afraid.  Even unnamed files can be
written to disk by the kernel.  It's not much different from
passphrases stored in process images ending up in the swap file,
though.  I'm pretty sure I looked at the situation when I wrote gpg.el
a couple of years ago, and decided that all things considered, it's
not terribly important.  It's a significant PR issue, admittedly, but
back then, I didn't care about that. 8-)

As Greg suggested, the passphrase handling should be moved from Emacs
into a separate process (which may request special privileges to lock
memory regions etc.).