From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63642
Path: news.gmane.org!not-for-mail
From: Miles Bader <miles.bader@necel.com>
Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Mon, 04 Sep 2006 11:25:48 +0900
Message-ID: <buofyf8z7tf.fsf@dhapc248.dev.necel.com>
References: <b4maca88q6i.fsf@jpl.org>
	<def1aabc-69b9-4b1d-bb84-e65c63540eac@well-done.deisui.org>
	<b4mmze82cse.fsf@jpl.org> <b4mwtdbfqob.fsf@jpl.org>
	<9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org>
	<b4mpsj3gw1s.fsf@jpl.org> <b4my7xrfg5o.fsf@jpl.org>
	<4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org>
	<87fyjz2gaj.fsf@pacem.orebokech.com>
	<v9iroj49cz.fsf@marauder.physik.uni-ulm.de>
	<v9mz9itt6y.fsf_-_@marauder.physik.uni-ulm.de>
	<87ac5gnccs.fsf@mid.deneb.enyo.de>
	<e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org>
Reply-To: Miles Bader <miles@gnu.org>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1157336920 8305 80.91.229.2 (4 Sep 2006 02:28:40 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Mon, 4 Sep 2006 02:28:40 +0000 (UTC)
Cc: Satyaki Das <satyaki@chicory.stanford.edu>,
	Reiner Steib <Reiner.Steib@gmx.de>, ding@gnus.org,
	emacs-devel@gnu.org, Florian Weimer <fw@deneb.enyo.de>,
	Simon Josefsson <jas@extundo.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 04 04:28:35 2006
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1GK4CQ-0001W2-Lg
	for ged-emacs-devel@m.gmane.org; Mon, 04 Sep 2006 04:28:34 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1GK4CQ-0005Oe-5N
	for ged-emacs-devel@m.gmane.org; Sun, 03 Sep 2006 22:28:34 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1GK4CE-0005M8-71
	for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:22 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1GK4CD-0005K5-0n
	for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:21 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1GK4CC-0005Jx-Tx
	for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:20 -0400
Original-Received: from [203.180.232.82] (helo=mgate02.necel.com)
	by monty-python.gnu.org with esmtp (Exim 4.52)
	id 1GK4Mc-0008DI-0u; Sun, 03 Sep 2006 22:39:06 -0400
Original-Received: from relay21.aps.necel.com (relay21 [10.29.19.50])
	by mgate02.necel.com (8.13.8/8.13.1) with ESMTP id k840dxNA008898;
	Mon, 4 Sep 2006 11:27:38 +0900 (JST)
Original-Received: from relay21.aps.necel.com ([10.29.19.24] [10.29.19.24]) by
	relay21.aps.necel.com with ESMTP; Mon, 4 Sep 2006 11:27:38 +0900
Original-Received: from dhapc248.dev.necel.com ([10.114.97.235] [10.114.97.235]) by
	relay21.aps.necel.com with ESMTP; Mon, 4 Sep 2006 11:27:37 +0900
Original-Received: by dhapc248.dev.necel.com (Postfix, from userid 31295)
	id 3A3513B0; Mon,  4 Sep 2006 11:25:49 +0900 (JST)
Original-To: Daiki Ueno <ueno@unixuser.org>
System-Type: i686-pc-linux-gnu
Blat: Foop
In-Reply-To: <e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org> (Daiki
	Ueno's message of "Mon, 04 Sep 2006 11:04:38 +0900")
Original-Lines: 25
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:59302 gmane.emacs.gnus.general:63642
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/63642>

Daiki Ueno <ueno@unixuser.org> writes:
>> > In current Emacs CVS in fact `call-process-region' uses temp files.
>> > Bad.  I think this is a severe security problem, isn't it?
>
>> Why?  AFAICS, Emacs uses mkstemp when available, which should get the
>> permissions right.
>
> May I answer the question on behalf of Reiner Steib?
>
> When decrypting PGP messages PGG will send your passphrase along with
> data, so if Emacs process is killed and you have stolen your note PC,
> your passphrase can also be stolen from the temp file.

It would probably be fairly simple to change the implementation to
unlink the temp file _before_ writing the contents and pass only the
still-open file-descriptor (after rewinding) to Fcall_process (or
rather, to some common subroutine derived from Fcall_process).

I suppose the annoying part would be making sure everything still worked
on systems like ms-windows; I don't know if they support the common
"open and unlink before using" idiom for temp files in unix.

-Miles
-- 
Quidquid latine dictum sit, altum viditur.