From: Richard Stallman <rms@gnu.org>
Cc: fw@deneb.enyo.de, jas@extundo.com, satyaki@chicory.stanford.edu,
ding@gnus.org, Reiner.Steib@gmx.de, emacs-devel@gnu.org
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Tue, 05 Sep 2006 05:43:27 -0400 [thread overview]
Message-ID: <E1GKXSp-0002f5-Gr@fencepost.gnu.org> (raw)
In-Reply-To: <e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org> (message from Daiki Ueno on Mon, 04 Sep 2006 11:04:38 +0900)
When decrypting PGP messages PGG will send your passphrase along
with data, so if Emacs process is killed and [someone else has]
stolen your note PC, your passphrase can also be stolen from the
temp file.
Since it is not likely for Emacs to be killed just while it is running
GPG, I think that very few users have such temp files lying around.
So the thief would need to be very lucky (as well as knowing about
such things) in order get anyone's pass phrase.
Therefore, I think it is not desperately urgent to fix this.
We should fix it if it is feasible, but it may be hard.
It would probably be fairly simple to change the implementation to
unlink the temp file _before_ writing the contents and pass only the
still-open file-descriptor (after rewinding) to Fcall_process (or
rather, to some common subroutine derived from Fcall_process).
We would have to unlink the file before writing the contents into it.
That would be somewhat more work, since Fwrite_region needs to be able
to use an already-open descriptor, too. Still, it is possible in
principle. Would someone like to try it?
We could make the problem even more unlikely if we can arrange for
Emacs to delete any such temp files that are lying around when it
starts. For this, the hard part is dealing with multiple machines
that share the same temp file directory. In that case, Emacs can't
tell whether the Emacs that wrote a certain temp file is still alive.
However, if Emacs put the machine name, user name and process ID into
the file name, then each Emacs could tell which of these temp files
are from the same machine and same user; then it could check whether
those processes are still alive.
This way, the thief would have to get your machine after Emacs dies
while running GPG and before you start another Emacs.
next prev parent reply other threads:[~2006-09-05 9:43 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-26 12:41 pgg-output-buffer gets created as a unibyte buffer Katsumi Yamaoka
2006-04-26 13:22 ` Daiki Ueno
2006-04-26 22:27 ` Katsumi Yamaoka
2006-04-27 7:01 ` Katsumi Yamaoka
2006-04-27 9:36 ` Daiki Ueno
2006-04-27 10:19 ` Katsumi Yamaoka
2006-04-27 10:48 ` Katsumi Yamaoka
2006-04-27 14:45 ` Daiki Ueno
2006-04-27 15:23 ` Romain Francoise
2006-05-06 12:37 ` pgg-gpg-process-region (was: pgg-output-buffer gets created as a unibyte buffer) Reiner Steib
2006-09-02 11:16 ` Security flaw in pgg-gpg-process-region? (was: pgg-gpg-process-region) Reiner Steib
2006-09-02 13:16 ` Security flaw in pgg-gpg-process-region? Daiki Ueno
2006-09-02 13:49 ` Daiki Ueno
2006-09-03 15:16 ` Richard Stallman
2006-09-04 1:36 ` Daiki Ueno
2006-09-04 17:18 ` Richard Stallman
2006-09-04 17:45 ` Daiki Ueno
2006-09-04 17:48 ` David Kastrup
2006-09-05 5:06 ` Daiki Ueno
2006-09-05 15:10 ` Chong Yidong
2006-09-06 8:49 ` Richard Stallman
2006-09-06 9:25 ` Daiki Ueno
2006-09-07 6:54 ` Richard Stallman
2006-09-06 8:49 ` Richard Stallman
2006-09-03 15:16 ` Security flaw in pgg-gpg-process-region? (was: pgg-gpg-process-region) Richard Stallman
2006-09-03 16:28 ` Security flaw in pgg-gpg-process-region? Florian Weimer
2006-09-04 2:04 ` Daiki Ueno
2006-09-04 2:25 ` Miles Bader
2006-09-05 9:43 ` Richard Stallman [this message]
2006-09-05 11:57 ` Daiki Ueno
2006-09-06 19:05 ` Richard Stallman
2006-09-06 19:33 ` gdt
2006-09-06 21:33 ` Miles Bader
2006-09-07 21:13 ` Richard Stallman
2006-09-19 10:02 ` Sascha Wilde
2006-09-19 22:56 ` Richard Stallman
2006-11-11 22:00 ` Sascha Wilde
2006-11-12 21:12 ` Richard Stallman
2006-11-12 21:38 ` Sascha Wilde
2006-11-13 20:15 ` Richard Stallman
2006-11-14 11:11 ` Sascha Wilde
2006-09-06 22:44 ` Daiki Ueno
2006-09-07 21:14 ` Richard Stallman
2006-09-06 20:11 ` Florian Weimer
2006-09-07 14:12 ` Chong Yidong
2006-09-07 21:13 ` Richard Stallman
2006-04-27 16:08 ` pgg-output-buffer gets created as a unibyte buffer Katsumi Yamaoka
2006-04-28 5:18 ` Katsumi Yamaoka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1GKXSp-0002f5-Gr@fencepost.gnu.org \
--to=rms@gnu.org \
--cc=Reiner.Steib@gmx.de \
--cc=ding@gnus.org \
--cc=emacs-devel@gnu.org \
--cc=fw@deneb.enyo.de \
--cc=jas@extundo.com \
--cc=satyaki@chicory.stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).