From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63694
Path: news.gmane.org!not-for-mail
From: gdt@work.lexort.com
Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Wed, 06 Sep 2006 15:33:46 -0400
Message-ID: <smubqpshjs5.fsf@linuxpal.mit.edu>
References: <b4maca88q6i.fsf@jpl.org>
	<def1aabc-69b9-4b1d-bb84-e65c63540eac@well-done.deisui.org>
	<b4mmze82cse.fsf@jpl.org> <b4mwtdbfqob.fsf@jpl.org>
	<9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org>
	<b4mpsj3gw1s.fsf@jpl.org> <b4my7xrfg5o.fsf@jpl.org>
	<4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org>
	<87fyjz2gaj.fsf@pacem.orebokech.com>
	<v9iroj49cz.fsf@marauder.physik.uni-ulm.de>
	<v9mz9itt6y.fsf_-_@marauder.physik.uni-ulm.de>
	<87ac5gnccs.fsf@mid.deneb.enyo.de>
	<e0049689-8507-4a77-9b09-447f21211249@broken.deisui.org>
	<E1GKXSp-0002f5-Gr@fencepost.gnu.org>
	<8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org>
	<E1GL2iA-0000uI-22@fencepost.gnu.org>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
X-Trace: sea.gmane.org 1157571333 23324 80.91.229.2 (6 Sep 2006 19:35:33 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Wed, 6 Sep 2006 19:35:33 +0000 (UTC)
Cc: Daiki Ueno <ueno@unixuser.org>,  fw@deneb.enyo.de,  jas@extundo.com,  satyaki@chicory.stanford.edu,  ding@gnus.org,  Reiner.Steib@gmx.de,  emacs-devel@gnu.org
Original-X-From: ding-owner+m12221@lists.math.uh.edu Wed Sep 06 21:35:31 2006
Return-path: <ding-owner+m12221@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1GL3BE-00056N-Vc
	for ding-account@gmane.org; Wed, 06 Sep 2006 21:35:26 +0200
Original-Received: from localhost
	([127.0.0.1] helo=lists.math.uh.edu ident=lists)
	by malifon.math.uh.edu with smtp (Exim 3.20 #1)
	id 1GL3B3-00061E-00; Wed, 06 Sep 2006 14:35:13 -0500
Original-Received: from nas02.math.uh.edu ([129.7.128.40])
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 1GL3A0-000619-00
	for ding@lists.math.uh.edu; Wed, 06 Sep 2006 14:34:08 -0500
Original-Received: from quimby.gnus.org ([80.91.227.211])
	by nas02.math.uh.edu with esmtp (Exim 4.52)
	id 1GL39y-00069q-8R
	for ding@lists.math.uh.edu; Wed, 06 Sep 2006 14:34:08 -0500
Original-Received: from linuxpal.mit.edu ([18.62.1.14])
	by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian))
	id 1GL39r-0003P9-00
	for <ding@gnus.org>; Wed, 06 Sep 2006 21:34:00 +0200
Original-Received: by linuxpal.mit.edu (Postfix, from userid 9545)
	id 381DD16060; Wed,  6 Sep 2006 15:33:53 -0400 (EDT)
Original-To: rms@gnu.org
In-Reply-To: <E1GL2iA-0000uI-22@fencepost.gnu.org> (Richard Stallman's message
	of "Wed, 06 Sep 2006 15:05:22 -0400")
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (berkeley-unix)
X-Hashcash: 1:20:060906:satyaki@chicory.stanford.edu::11QJSN4EdJXz0kb6:0000000000000000000000000000000002rS+
X-Hashcash: 1:20:060906:ueno@unixuser.org::XuW5qlVOz5cmmPOH:000000000000000000000000000000000000000000001Gpo
X-Hashcash: 1:20:060906:reiner.steib@gmx.de::+4eqf62itxIvQIex:0000000000000000000000000000000000000000000etQ
X-Hashcash: 1:20:060906:fw@deneb.enyo.de::sAKWiVtl+fWNe7GO:06cVZ
X-Hashcash: 1:20:060906:ding@gnus.org::N+ZPJ8p6Y0kqWyBo:000033yv
X-Hashcash: 1:20:060906:emacs-devel@gnu.org::YRO66l39+vn2pskJ:000000000000000000000000000000000000000000CyKr
X-Hashcash: 1:20:060906:rms@gnu.org::tAshYKNGri+cje6F:000000BDKs
X-Hashcash: 1:20:060906:jas@extundo.com::yuO5Hvs68i7LDTXD:00A2ck
X-Spam-Score: -1.6 (-)
Precedence: bulk
Original-Sender: ding-owner@lists.math.uh.edu
Xref: news.gmane.org gmane.emacs.gnus.general:63694 gmane.emacs.devel:59473
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/63694>

--=-=-=
Content-Transfer-Encoding: quoted-printable


I think there's a higher-level point that hasn't been made explicit,
although I'm sure it's what Daiki is thinking: Anything that can cause
the passphrase to be written to the filesystem is horribly broken; the
whole point of the passphrase is that while the secret key (encrypted
in the passphrase) is on disk, without the passphrase one can't get
the key even if one has the disk.  As soon as the passphrase ends up
on disk, through a temp file, core file, swap space, the plan is
compromised.  Programs like gnupg take care to mlock(2) or similar to
keep key data from being paged out.  (One also needs to disable kernel
crash dumps.)

The right solution might instead be to push for gpg-agent to be
production ready, so that entire notion of emacs dealing with
passphrases can be deprecated.

--=20
    Greg Troxel <gdt@work.lexort.com>

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iD8DBQFE/yKhH9p66AmO1g4RArKkAJ4ugmx3rdTHTw0wzdCT4NV5Nbkm6gCePgDJ
pNMDe1zVA224yFWEmnhdY0k=
=drlY
-----END PGP SIGNATURE-----
--=-=-=--