From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63694 Path: news.gmane.org!not-for-mail From: gdt@work.lexort.com Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: Re: Security flaw in pgg-gpg-process-region? Date: Wed, 06 Sep 2006 15:33:46 -0400 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Trace: sea.gmane.org 1157571333 23324 80.91.229.2 (6 Sep 2006 19:35:33 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 6 Sep 2006 19:35:33 +0000 (UTC) Cc: Daiki Ueno , fw@deneb.enyo.de, jas@extundo.com, satyaki@chicory.stanford.edu, ding@gnus.org, Reiner.Steib@gmx.de, emacs-devel@gnu.org Original-X-From: ding-owner+m12221@lists.math.uh.edu Wed Sep 06 21:35:31 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GL3BE-00056N-Vc for ding-account@gmane.org; Wed, 06 Sep 2006 21:35:26 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1GL3B3-00061E-00; Wed, 06 Sep 2006 14:35:13 -0500 Original-Received: from nas02.math.uh.edu ([129.7.128.40]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1GL3A0-000619-00 for ding@lists.math.uh.edu; Wed, 06 Sep 2006 14:34:08 -0500 Original-Received: from quimby.gnus.org ([80.91.227.211]) by nas02.math.uh.edu with esmtp (Exim 4.52) id 1GL39y-00069q-8R for ding@lists.math.uh.edu; Wed, 06 Sep 2006 14:34:08 -0500 Original-Received: from linuxpal.mit.edu ([18.62.1.14]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1GL39r-0003P9-00 for ; Wed, 06 Sep 2006 21:34:00 +0200 Original-Received: by linuxpal.mit.edu (Postfix, from userid 9545) id 381DD16060; Wed, 6 Sep 2006 15:33:53 -0400 (EDT) Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Wed, 06 Sep 2006 15:05:22 -0400") User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (berkeley-unix) X-Hashcash: 1:20:060906:satyaki@chicory.stanford.edu::11QJSN4EdJXz0kb6:0000000000000000000000000000000002rS+ X-Hashcash: 1:20:060906:ueno@unixuser.org::XuW5qlVOz5cmmPOH:000000000000000000000000000000000000000000001Gpo X-Hashcash: 1:20:060906:reiner.steib@gmx.de::+4eqf62itxIvQIex:0000000000000000000000000000000000000000000etQ X-Hashcash: 1:20:060906:fw@deneb.enyo.de::sAKWiVtl+fWNe7GO:06cVZ X-Hashcash: 1:20:060906:ding@gnus.org::N+ZPJ8p6Y0kqWyBo:000033yv X-Hashcash: 1:20:060906:emacs-devel@gnu.org::YRO66l39+vn2pskJ:000000000000000000000000000000000000000000CyKr X-Hashcash: 1:20:060906:rms@gnu.org::tAshYKNGri+cje6F:000000BDKs X-Hashcash: 1:20:060906:jas@extundo.com::yuO5Hvs68i7LDTXD:00A2ck X-Spam-Score: -1.6 (-) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:63694 gmane.emacs.devel:59473 Archived-At: --=-=-= Content-Transfer-Encoding: quoted-printable I think there's a higher-level point that hasn't been made explicit, although I'm sure it's what Daiki is thinking: Anything that can cause the passphrase to be written to the filesystem is horribly broken; the whole point of the passphrase is that while the secret key (encrypted in the passphrase) is on disk, without the passphrase one can't get the key even if one has the disk. As soon as the passphrase ends up on disk, through a temp file, core file, swap space, the plan is compromised. Programs like gnupg take care to mlock(2) or similar to keep key data from being paged out. (One also needs to disable kernel crash dumps.) The right solution might instead be to push for gpg-agent to be production ready, so that entire notion of emacs dealing with passphrases can be deprecated. --=20 Greg Troxel --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (NetBSD) iD8DBQFE/yKhH9p66AmO1g4RArKkAJ4ugmx3rdTHTw0wzdCT4NV5Nbkm6gCePgDJ pNMDe1zVA224yFWEmnhdY0k= =drlY -----END PGP SIGNATURE----- --=-=-=--