From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63642 Path: news.gmane.org!not-for-mail From: Miles Bader Newsgroups: gmane.emacs.devel,gmane.emacs.gnus.general Subject: Re: Security flaw in pgg-gpg-process-region? Date: Mon, 04 Sep 2006 11:25:48 +0900 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> Reply-To: Miles Bader NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1157336920 8305 80.91.229.2 (4 Sep 2006 02:28:40 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 4 Sep 2006 02:28:40 +0000 (UTC) Cc: Satyaki Das , Reiner Steib , ding@gnus.org, emacs-devel@gnu.org, Florian Weimer , Simon Josefsson Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 04 04:28:35 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GK4CQ-0001W2-Lg for ged-emacs-devel@m.gmane.org; Mon, 04 Sep 2006 04:28:34 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GK4CQ-0005Oe-5N for ged-emacs-devel@m.gmane.org; Sun, 03 Sep 2006 22:28:34 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GK4CE-0005M8-71 for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:22 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GK4CD-0005K5-0n for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:21 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GK4CC-0005Jx-Tx for emacs-devel@gnu.org; Sun, 03 Sep 2006 22:28:20 -0400 Original-Received: from [203.180.232.82] (helo=mgate02.necel.com) by monty-python.gnu.org with esmtp (Exim 4.52) id 1GK4Mc-0008DI-0u; Sun, 03 Sep 2006 22:39:06 -0400 Original-Received: from relay21.aps.necel.com (relay21 [10.29.19.50]) by mgate02.necel.com (8.13.8/8.13.1) with ESMTP id k840dxNA008898; Mon, 4 Sep 2006 11:27:38 +0900 (JST) Original-Received: from relay21.aps.necel.com ([10.29.19.24] [10.29.19.24]) by relay21.aps.necel.com with ESMTP; Mon, 4 Sep 2006 11:27:38 +0900 Original-Received: from dhapc248.dev.necel.com ([10.114.97.235] [10.114.97.235]) by relay21.aps.necel.com with ESMTP; Mon, 4 Sep 2006 11:27:37 +0900 Original-Received: by dhapc248.dev.necel.com (Postfix, from userid 31295) id 3A3513B0; Mon, 4 Sep 2006 11:25:49 +0900 (JST) Original-To: Daiki Ueno System-Type: i686-pc-linux-gnu Blat: Foop In-Reply-To: (Daiki Ueno's message of "Mon, 04 Sep 2006 11:04:38 +0900") Original-Lines: 25 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:59302 gmane.emacs.gnus.general:63642 Archived-At: Daiki Ueno writes: >> > In current Emacs CVS in fact `call-process-region' uses temp files. >> > Bad. I think this is a severe security problem, isn't it? > >> Why? AFAICS, Emacs uses mkstemp when available, which should get the >> permissions right. > > May I answer the question on behalf of Reiner Steib? > > When decrypting PGP messages PGG will send your passphrase along with > data, so if Emacs process is killed and you have stolen your note PC, > your passphrase can also be stolen from the temp file. It would probably be fairly simple to change the implementation to unlink the temp file _before_ writing the contents and pass only the still-open file-descriptor (after rewinding) to Fcall_process (or rather, to some common subroutine derived from Fcall_process). I suppose the annoying part would be making sure everything still worked on systems like ms-windows; I don't know if they support the common "open and unlink before using" idiom for temp files in unix. -Miles -- Quidquid latine dictum sit, altum viditur.