bug#36154: 26.2; read-passwd function creates a security issue

bug#36154: 26.2; read-passwd function creates a security issue

[Ahmet BASTUG]

read-passwd function which is located in "subr.el" causes kind of a 
security issue. When function is used, user is prompted with a promt and 
everything user typed is displayed as '.' characters. If any kind of 
kill operation is performed on the prompt minibuffer, real value is 
saved into kill-ring. Then you can yank it anywhere you want. I'm not 
sure this is meant this way but I think not.

--text follows this line--




In GNU Emacs 26.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.8)
  of 2019-04-12 built on juergen
Windowing system distributor 'The X.Org Foundation', version 11.0.12004000
System Description:    Manjaro Linux

Recent messages:
Type C-c C-c to finish, or C-c C-k to cancel
When done with a buffer, type C-c C-c
Saving file /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG...
Wrote /home/kosantosbik/projects/bot/.git/COMMIT_EDITMSG
Git finished
Running git push -v origin master:refs/heads/master
Git finished
C-x C-g is undefined
""
Mark set

Configured using:
  'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
--localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-modules
'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
-fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'

Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GSETTINGS GLIB
NOTIFY ACL GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD LCMS2

Important settings:
   value of $LC_MONETARY: tr_TR.UTF-8
   value of $LC_NUMERIC: tr_TR.UTF-8
   value of $LC_TIME: tr_TR.UTF-8
   value of $LANG: en_US.UTF-8
   locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
   global-magit-file-mode: t
   magit-auto-revert-mode: t
   global-git-commit-mode: t
   async-bytecomp-package-mode: t
   shell-dirtrack-mode: t
   global-atomic-chrome-edit-mode: t
   server-mode: t
   save-place-mode: t
   savehist-mode: t
   doom-modeline-mode: t
   global-auto-revert-mode: t
   ace-pinyin-global-mode: t
   ace-pinyin-mode: t
   global-aggressive-indent-mode: t
   aggressive-indent-mode: t
   global-anzu-mode: t
   anzu-mode: t
   drag-stuff-global-mode: t
   drag-stuff-mode: t
   global-hungry-delete-mode: t
   hungry-delete-mode: t
   global-undo-tree-mode: t
   undo-tree-mode: t
   fancy-narrow-mode: t
   counsel-projectile-mode: t
   counsel-mode: t
   diredfl-global-mode: t
   ivy-rich-mode: t
   ivy-mode: t
   delete-selection-mode: t
   company-box-mode: t
   global-company-mode: t
   company-mode: t
   yas-global-mode: t
   yas-minor-mode: t
   global-hl-line-mode: t
   show-paren-mode: t
   global-hl-todo-mode: t
   hl-todo-mode: t
   diff-hl-flydiff-mode: t
   global-diff-hl-mode: t
   diff-auto-refine-mode: t
   volatile-highlights-mode: t
   persp-mode-projectile-bridge-mode: t
   persp-mode: t
   winner-mode: t
   ace-window-display-mode: t
   shackle-mode: t
   which-key-mode: t
   flycheck-posframe-mode: t
   display-line-numbers-mode: t
   goto-address-prog-mode: t
   subword-mode: t
   origami-mode: t
   symbol-overlay-mode: t
   highlight-indent-guides-mode: t
   rainbow-mode: t
   rainbow-delimiters-mode: t
   whitespace-mode: t
   electric-pair-mode: t
   persistent-scratch-autosave-mode: t
   global-flycheck-mode: t
   flycheck-mode: t
   projectile-rails-global-mode: t
   projectile-mode: t
   dap-ui-mode: t
   dap-mode: t
   dumb-jump-mode: t
   editorconfig-mode: t
   recentf-mode: t
   override-global-mode: t
   tooltip-mode: t
   global-eldoc-mode: t
   eldoc-mode: t
   electric-indent-mode: t
   mouse-wheel-mode: t
   prettify-symbols-mode: t
   file-name-shadow-mode: t
   global-font-lock-mode: t
   font-lock-mode: t
   blink-cursor-mode: t
   auto-composition-mode: t
   auto-encryption-mode: t
   auto-compression-mode: t
   size-indication-mode: t
   column-number-mode: t
   line-number-mode: t
   transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort vc-mtn vc-hg vc-bzr vc-src vc-sccs vc-svn vc-cvs vc-rcs
mail-extr emacsbug sendmail pager rng-xsd xsd-regexp rng-cmpct
nxml-mode-expansions rng-nxml rng-valid rng-loc rng-uri rng-parse
nxml-parse rng-match rng-dt rng-util rng-pttrn nxml-ns nxml-mode
nxml-outln nxml-rap html-mode-expansions sgml-mode dom nxml-util
nxml-enc xmltok magit-extras forge-list forge-commands forge-semi
forge-bitbucket buck forge-gogs gogs forge-gitea gtea forge-gitlab glab
forge-github ghub-graphql treepy graphql ghub forge-notify forge-revnote
forge-pullreq forge-issue forge-topic bug-reference forge-post
forge-repo forge forge-core forge-db closql emacsql-sqlite emacsql
emacsql-compiler url-http url-auth url-gw url url-proxy url-privacy
url-expand url-methods url-history mailcap magit-bookmark
magit-submodule magit-obsolete magit-popup magit-blame magit-stash
magit-reflog magit-bisect magit-push magit-pull magit-fetch magit-clone
magit-remote magit-commit magit-sequence magit-notes magit-worktree
magit-tag magit-merge magit-branch magit-reset magit-files magit-refs
magit-status magit magit-repos magit-apply magit-wip magit-log
which-func magit-diff smerge-mode magit-core magit-autorevert
magit-margin magit-transient magit-process magit-mode transient
git-commit magit-git magit-section magit-utils crm log-edit message
rfc822 mml mml-sec epa derived epg gnus-util rmail rmail-loaddefs
mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 mm-util
ietf-drums mail-prsvr mailabbrev mail-utils gmm-utils mailheader
pcvs-util add-log with-editor async-bytecomp amx mwim pulse vc-git
dap-python yapfify view python-el-fgallina-expansions python tramp-sh
company-shell docker-tramp tramp-cache tramp tramp-compat tramp-loaddefs
trampver ucs-normalize bash-completion shell pcomplete parse-time
format-spec async face-remap disp-table atomic-chrome websocket
url-cookie url-domsuf let-alist server saveplace savehist doom-modeline
doom-modeline-segments doom-modeline-env doom-modeline-core shrink-path
autorevert ace-link ace-pinyin pinyinlib aggressive-indent anzu
drag-stuff smart-region easy-kill-mc easy-kill multiple-cursors
mc-hide-unmatched-lines-mode mc-separate-operations
rectangular-region-mode mc-mark-pop mc-mark-more mc-cycle-cursors
mc-edit-lines multiple-cursors-core rect expand-region
subword-mode-expansions text-mode-expansions ruby-mode-expansions
er-basic-expansions expand-region-core expand-region-custom
hungry-delete undo-tree fancy-narrow counsel-projectile counsel xdg
dired-x diredfl dired dired-loaddefs swiper ivy-rich ivy flx delsel
colir ivy-overlay ffap company-box company-box-doc company-box-icons
company-oddmuse company-keywords company-etags company-gtags
company-dabbrev-code company-dabbrev company-files company-capf
company-cmake company-xcode company-clang company-semantic company-eclim
company-template company-bbdb company yasnippet-snippets yasnippet time
linum all-the-icons all-the-icons-faces data-material data-weathericons
data-octicons data-fileicons data-faicons data-alltheicons memoize
hl-line paren hl-todo diff-hl-flydiff diff diff-hl vc-dir vc
vc-dispatcher diff-mode volatile-highlights persp-mode-projectile-bridge
persp-mode windmove winner ace-window avy shackle trace which-key
solaire-mode flycheck-posframe posframe display-line-numbers goto-addr
flyspell ispell cap-words superword subword origami origami-parsers
symbol-overlay highlight-indent-guides rainbow-mode xterm-color
rainbow-delimiters whitespace lsp-clients lsp-clojure lsp-go lsp-xml
lsp-css lsp-intelephense lsp-vetur lsp-html lsp-solargraph lsp-rust
lsp-pyls elec-pair persistent-scratch flycheck find-func
projectile-rails rake inflections inf-ruby ruby-mode smie cl projectile
grep ibuf-ext ibuffer ibuffer-loaddefs dap-ui gdb-mi bindat gud bui
bui-list bui-info bui-entry bui-core bui-history bui-button bui-utils
cus-edit cus-start cus-load tree-mode dap-mode dap-overlays lsp lsp-mode
ewoc markdown-mode color noutline outline url-util subr-x spinner
network-stream puny nsm rmc starttls tls gnutls json map inline imenu ht
filenotify em-glob esh-util dash-functional flymake-proc flymake compile
comint ansi-color warnings thingatpt dumb-jump popup f dash s etags xref
project editorconfig init-prog init-web init-elixir init-ruby
init-python init-go init-c init-emacs-lisp init-dap init-lsp
init-projectile init-flycheck init-vcs init-utils init-elfeed init-org
init-markdown init-shell init-eshell init-treemacs init-window
init-persp init-kill-ring init-ibuffer ibuf-macs init-highlight
init-dired init-dashboard diminish dashboard dashboard-widgets recentf
tree-widget wid-edit page-break-lines cal-china-x cal-china lunar solar
cal-dst holidays hol-loaddefs cal-menu calendar cal-loaddefs bookmark pp
init-calendar init-yasnippet init-company init-ivy init-edit hydra ring
lv init-ui doom-themes-treemacs doom-themes-org doom-one-theme
doom-themes doom-themes-common init-funcs init-basic
exec-path-from-shell init-package cl-extra help-mode use-package
use-package-ensure use-package-delight use-package-diminish
use-package-bind-key bind-key easy-mmode use-package-core finder-inf
edmacro kmacro rx info advice package easymenu epg-config url-handlers
url-parse auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache url-vars seq byte-opt bytecomp byte-compile cconv
cl-loaddefs cl-lib pcase init-custom init-const gv time-date mule-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite charscript charprop case-table epa-hook jka-cmpr-hook
help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote threads dbusbind inotify lcms2 dynamic-setting
system-font-setting font-render-setting move-toolbar gtk x-toolkit x
multi-tty make-network-process emacs)

Memory information:
((conses 16 997073 100529)
  (symbols 48 61911 1)
  (miscs 40 2523 1603)
  (strings 32 204635 32422)
  (string-bytes 1 5901869)
  (vectors 16 114421)
  (vector-slots 8 2156740 42766)
  (floats 8 2076 1129)
  (intervals 56 17136 3688)
  (buffers 992 47))

bug#36154: 26.2; read-passwd function creates a security issue

[Lars Ingebrigtsen]

Ahmet BASTUG <bastugn@itu.edu.tr> writes:

> read-passwd function which is located in "subr.el" causes kind of a
> security issue. When function is used, user is prompted with a promt
> and everything user typed is displayed as '.' characters. If any kind
> of kill operation is performed on the prompt minibuffer, real value is 
> saved into kill-ring. Then you can yank it anywhere you want. I'm not
> sure this is meant this way but I think not.

I think it makes sense to allow users to do this -- this is something
that should be up to them whether to do or not.  So I'm closing this bug
report.  If anybody disagrees with this, please feel free to reopen.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#36154: 26.2; read-passwd function creates a security issue

[Phil Sainty]

On 2019-10-10 12:25, Lars Ingebrigtsen wrote:
> I think it makes sense to allow users to do this -- this is something
> that should be up to them whether to do or not.  So I'm closing this 
> bug
> report.  If anybody disagrees with this, please feel free to reopen.

A potential solution to this would to make the low-level kill functions
respect a new `inhibit-kill-ring' variable, such that nothing would be
added to the kill ring if that was non-nil.

A user option for the password entry routine could then be added to 
control
whether or the variable was set by `read-passwd' when setting up the
minibuffer.

This facility might also have more general applicability, and perhaps
even warrant a minor mode.  I can certainly envisage `inhibit-kill-ring'
being let-bound by users for specific cases, if they consider that 
unwanted
kill ring pollution was occurring.


-Phil

bug#36154: 26.2; read-passwd function creates a security issue

[Noam Postavsky]

Phil Sainty <psainty@orcon.net.nz> writes:

> On 2019-10-10 12:25, Lars Ingebrigtsen wrote:
>> I think it makes sense to allow users to do this -- this is something
>> that should be up to them whether to do or not.  So I'm closing this
>> bug
>> report.  If anybody disagrees with this, please feel free to reopen.
>
> A potential solution to this would to make the low-level kill functions
> respect a new `inhibit-kill-ring' variable, such that nothing would be
> added to the kill ring if that was non-nil.

IMO, it would be bettter to rebind the kill commands to corresponding
delete commands in read-passwd-map.

bug#36154: 26.2; read-passwd function creates a security issue

[Phil Sainty]

On 2019-10-10 13:49, Noam Postavsky wrote:
> Phil Sainty <psainty@orcon.net.nz> writes:
>> A potential solution to this would to make the low-level kill 
>> functions
>> respect a new `inhibit-kill-ring' variable, such that nothing would be
>> added to the kill ring if that was non-nil.
> 
> IMO, it would be bettter to rebind the kill commands to corresponding
> delete commands in read-passwd-map.

My main argument against that (at least as a complete solution) is that
is necessitates *knowing* what all the kill commands are, and what their
corresponding delete commands would be.

This would also mean maintaining that moving forwards for standard
commands; but that still wouldn't account for arbitrary third-party and
custom commands which call `kill-new'.

I think such remapping of standard commands would be entirely reasonable
as an *additional* step (particularly if it was wrapped into a minor 
mode),
but personally I think there is a greater benefit (with wider 
application)
in the `inhibit-kill-ring' notion.


-Phil