From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63696 Path: news.gmane.org!not-for-mail From: Florian Weimer Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general Subject: Re: Security flaw in pgg-gpg-process-region? Date: Wed, 06 Sep 2006 22:11:37 +0200 Message-ID: <87ac5coiva.fsf@mid.deneb.enyo.de> References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1157573543 31432 80.91.229.2 (6 Sep 2006 20:12:23 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 6 Sep 2006 20:12:23 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, Daiki Ueno , ding@gnus.org, emacs-devel@gnu.org, jas@extundo.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 06 22:12:17 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GL3ko-0003vG-2b for ged-emacs-devel@m.gmane.org; Wed, 06 Sep 2006 22:12:10 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GL3kn-0006Jb-HB for ged-emacs-devel@m.gmane.org; Wed, 06 Sep 2006 16:12:09 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GL3kd-0006JU-02 for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:59 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GL3ka-0006JI-9b for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:57 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GL3ka-0006JF-4G for emacs-devel@gnu.org; Wed, 06 Sep 2006 16:11:56 -0400 Original-Received: from [212.9.189.167] (helo=mail.enyo.de) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1GL3km-0002lv-FZ; Wed, 06 Sep 2006 16:12:08 -0400 Original-Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1GL3kV-0002d8-6N; Wed, 06 Sep 2006 22:11:51 +0200 Original-Received: from fw by deneb.enyo.de with local (Exim 4.63) (envelope-from ) id 1GL3kH-0000ji-Gw; Wed, 06 Sep 2006 22:11:37 +0200 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Tue, 05 Sep 2006 05:43:27 -0400") X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59475 gmane.emacs.gnus.general:63696 Archived-At: * Richard Stallman: > It would probably be fairly simple to change the implementation to > unlink the temp file _before_ writing the contents and pass only the > still-open file-descriptor (after rewinding) to Fcall_process (or > rather, to some common subroutine derived from Fcall_process). > > We would have to unlink the file before writing the contents into it. This doesn't achieve much, I'm afraid. Even unnamed files can be written to disk by the kernel. It's not much different from passphrases stored in process images ending up in the swap file, though. I'm pretty sure I looked at the situation when I wrote gpg.el a couple of years ago, and decided that all things considered, it's not terribly important. It's a significant PR issue, admittedly, but back then, I didn't care about that. 8-) As Greg suggested, the passphrase handling should be moved from Emacs into a separate process (which may request special privileges to lock memory regions etc.).