From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63711
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Thu, 07 Sep 2006 10:12:32 -0400
Message-ID: <87d5a7n4tr.fsf@furball.mit.edu>
References: <b4maca88q6i.fsf@jpl.org>
	<def1aabc-69b9-4b1d-bb84-e65c63540eac@well-done.deisui.org>
	<b4mmze82cse.fsf@jpl.org> <b4mwtdbfqob.fsf@jpl.org>
	<9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org>
	<b4mpsj3gw1s.fsf@jpl.org> <b4my7xrfg5o.fsf@jpl.org>
	<4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org>
	<87fyjz2gaj.fsf@pacem.orebokech.com>
	<v9iroj49cz.fsf@marauder.physik.uni-ulm.de>
	<v9mz9itt6y.fsf_-_@marauder.physik.uni-ulm.de>
	<87ac5gnccs.fsf@mid.deneb.enyo.de>
	<e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org>
	<E1GKXSp-0002f5-Gr@fencepost.gnu.org>
	<87ac5coiva.fsf@mid.deneb.enyo.de>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1157638413 1242 80.91.229.2 (7 Sep 2006 14:13:33 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Thu, 7 Sep 2006 14:13:33 +0000 (UTC)
Cc: satyaki@chicory.stanford.edu, rms@gnu.org, Reiner.Steib@gmx.de,
	Daiki Ueno <ueno@unixuser.org>, ding@gnus.org,
	emacs-devel@gnu.org, jas@extundo.com
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 07 16:13:30 2006
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1GLKd2-0000ac-55
	for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 16:13:17 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1GLKd1-0008WU-8j
	for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 10:13:15 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1GLKck-0008Rr-Kb
	for emacs-devel@gnu.org; Thu, 07 Sep 2006 10:12:58 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1GLKck-0008Qu-54
	for emacs-devel@gnu.org; Thu, 07 Sep 2006 10:12:58 -0400
Original-Received: from [18.72.1.2] (helo=south-station-annex.mit.edu)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52)
	id 1GLKd8-0005Th-3R; Thu, 07 Sep 2006 10:13:22 -0400
Original-Received: from central-city-carrier-station.mit.edu
	(CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72])
	by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	k87ECdAg019162; Thu, 7 Sep 2006 10:12:39 -0400 (EDT)
Original-Received: from outgoing-legacy.mit.edu (OUTGOING-LEGACY.MIT.EDU [18.7.22.104])
	by central-city-carrier-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	k87ECYA7019477; Thu, 7 Sep 2006 10:12:34 -0400 (EDT)
Original-Received: from furball.mit.edu (SYDNEYPACIFIC-THREE-EIGHTY-EIGHT.MIT.EDU
	[18.95.6.133]) )
	by outgoing-legacy.mit.edu (8.13.6/8.12.4) with ESMTP id k87ECUsd004199;
	Thu, 7 Sep 2006 10:12:31 -0400 (EDT)
Original-Received: from cyd by furball.mit.edu with local (Exim 3.36 #1 (Debian))
	id 1GLKcK-0000d0-00; Thu, 07 Sep 2006 10:12:32 -0400
Original-To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <87ac5coiva.fsf@mid.deneb.enyo.de> (Florian Weimer's message of
	"Wed\, 06 Sep 2006 22\:11\:37 +0200")
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)
X-Spam-Score: 1.217
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:59508 gmane.emacs.gnus.general:63711
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/63711>

Florian Weimer <fw@deneb.enyo.de> writes:

> * Richard Stallman:
>
>>     It would probably be fairly simple to change the implementation to
>>     unlink the temp file _before_ writing the contents and pass only the
>>     still-open file-descriptor (after rewinding) to Fcall_process (or
>>     rather, to some common subroutine derived from Fcall_process).
>>
>> We would have to unlink the file before writing the contents into it.
>
> This doesn't achieve much, I'm afraid.  Even unnamed files can be
> written to disk by the kernel.  It's not much different from
> passphrases stored in process images ending up in the swap file,
> though.  I'm pretty sure I looked at the situation when I wrote gpg.el
> a couple of years ago, and decided that all things considered, it's
> not terribly important.

In any case, I've looked into changing Fcall_process_region to do the
unlink-before-write trick, and changing Fcall_process to accept a file
descriptor.  It's a rather big and messy job.  Since it wouldn't
completely solve the problem anyway, could we postphone this for after
the release?