From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63711 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general Subject: Re: Security flaw in pgg-gpg-process-region? Date: Thu, 07 Sep 2006 10:12:32 -0400 Message-ID: <87d5a7n4tr.fsf@furball.mit.edu> References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <87ac5coiva.fsf@mid.deneb.enyo.de> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1157638413 1242 80.91.229.2 (7 Sep 2006 14:13:33 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 7 Sep 2006 14:13:33 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, rms@gnu.org, Reiner.Steib@gmx.de, Daiki Ueno , ding@gnus.org, emacs-devel@gnu.org, jas@extundo.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 07 16:13:30 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GLKd2-0000ac-55 for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 16:13:17 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLKd1-0008WU-8j for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 10:13:15 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GLKck-0008Rr-Kb for emacs-devel@gnu.org; Thu, 07 Sep 2006 10:12:58 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLKck-0008Qu-54 for emacs-devel@gnu.org; Thu, 07 Sep 2006 10:12:58 -0400 Original-Received: from [18.72.1.2] (helo=south-station-annex.mit.edu) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1GLKd8-0005Th-3R; Thu, 07 Sep 2006 10:13:22 -0400 Original-Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id k87ECdAg019162; Thu, 7 Sep 2006 10:12:39 -0400 (EDT) Original-Received: from outgoing-legacy.mit.edu (OUTGOING-LEGACY.MIT.EDU [18.7.22.104]) by central-city-carrier-station.mit.edu (8.13.6/8.9.2) with ESMTP id k87ECYA7019477; Thu, 7 Sep 2006 10:12:34 -0400 (EDT) Original-Received: from furball.mit.edu (SYDNEYPACIFIC-THREE-EIGHTY-EIGHT.MIT.EDU [18.95.6.133]) ) by outgoing-legacy.mit.edu (8.13.6/8.12.4) with ESMTP id k87ECUsd004199; Thu, 7 Sep 2006 10:12:31 -0400 (EDT) Original-Received: from cyd by furball.mit.edu with local (Exim 3.36 #1 (Debian)) id 1GLKcK-0000d0-00; Thu, 07 Sep 2006 10:12:32 -0400 Original-To: Florian Weimer In-Reply-To: <87ac5coiva.fsf@mid.deneb.enyo.de> (Florian Weimer's message of "Wed\, 06 Sep 2006 22\:11\:37 +0200") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux) X-Spam-Score: 1.217 X-Scanned-By: MIMEDefang 2.42 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59508 gmane.emacs.gnus.general:63711 Archived-At: Florian Weimer writes: > * Richard Stallman: > >> It would probably be fairly simple to change the implementation to >> unlink the temp file _before_ writing the contents and pass only the >> still-open file-descriptor (after rewinding) to Fcall_process (or >> rather, to some common subroutine derived from Fcall_process). >> >> We would have to unlink the file before writing the contents into it. > > This doesn't achieve much, I'm afraid. Even unnamed files can be > written to disk by the kernel. It's not much different from > passphrases stored in process images ending up in the swap file, > though. I'm pretty sure I looked at the situation when I wrote gpg.el > a couple of years ago, and decided that all things considered, it's > not terribly important. In any case, I've looked into changing Fcall_process_region to do the unlink-before-write trick, and changing Fcall_process to accept a file descriptor. It's a rather big and messy job. Since it wouldn't completely solve the problem anyway, could we postphone this for after the release?