From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63715 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general Subject: Re: Security flaw in pgg-gpg-process-region? Date: Thu, 07 Sep 2006 17:14:11 -0400 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> <8fa58311-3574-41c5-a0ad-f40089ba8c40@well-done.deisui.org> Reply-To: rms@gnu.org NNTP-Posting-Host: main.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: sea.gmane.org 1157663800 30323 80.91.229.2 (7 Sep 2006 21:16:40 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 7 Sep 2006 21:16:40 +0000 (UTC) Cc: satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, ding@gnus.org, emacs-devel@gnu.org, Werner Koch , fw@deneb.enyo.de, jas@extundo.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 07 23:16:39 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GLREV-0005jE-HZ for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 23:16:23 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLREU-0007tK-SL for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2006 17:16:22 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GLRCO-0003Nq-Mq for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:14:12 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GLRCO-0003MX-3S for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:14:12 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GLRCN-0003MD-Ts for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:14:11 -0400 Original-Received: from [199.232.76.164] (helo=fencepost.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.52) id 1GLRCp-0006Rz-T7 for emacs-devel@gnu.org; Thu, 07 Sep 2006 17:14:40 -0400 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.34) id 1GLRCN-0000cQ-0V; Thu, 07 Sep 2006 17:14:11 -0400 Original-To: Daiki Ueno In-reply-to: <8fa58311-3574-41c5-a0ad-f40089ba8c40@well-done.deisui.org> (message from Daiki Ueno on Thu, 07 Sep 2006 07:44:16 +0900) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59524 gmane.emacs.gnus.general:63715 Archived-At: ^C in the terminal where the user launched Emacs (without -nw.) In this case Emacs can't be said to be "killed" but it is enough to leave the tempfile on the filesystem after the Emacs process terminated. Do you actually find that users do this while running mailcrypt? It seems like a strange thing to do; wouldn't they try C-g first, most of the time? By unlinking the temp file before writing it, we could avoid the problem that the file might remain in /tmp. As others have pointed out, this won't avoid the problem that the passphrase could have been written to some disk block while it was in the unlinked file, and it could remain there, readable by reading the raw disk. It could also be saved on disk due swapping of Emacs. So the real question is, how far should we go? To what level of smallness do we need to reduce this problem? And how far do we need to go now, before the Emacs 22 release? I have cc'd Werner Koch, in the hope that he can give us some advice.