From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#8427: Fwd: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Date: Sun, 20 Oct 2019 17:57:58 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0000000000003fdfbd059559a2ce" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="266719"; mail-complaints-to="usenet@blaine.gmane.org" To: 8427@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 20 17:59:14 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iMDbu-0017Dt-3k for geb-bug-gnu-emacs@m.gmane.org; Sun, 20 Oct 2019 17:59:14 +0200 Original-Received: from localhost ([::1]:39320 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iMDbs-0000sv-Ua for geb-bug-gnu-emacs@m.gmane.org; Sun, 20 Oct 2019 11:59:12 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58675) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iMDbj-0000sJ-Ir for bug-gnu-emacs@gnu.org; Sun, 20 Oct 2019 11:59:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iMDbi-0000a6-Dc for bug-gnu-emacs@gnu.org; Sun, 20 Oct 2019 11:59:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:46322) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iMDbi-0000a0-A2 for bug-gnu-emacs@gnu.org; Sun, 20 Oct 2019 11:59:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iMDbi-0006D9-8q for bug-gnu-emacs@gnu.org; Sun, 20 Oct 2019 11:59:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 20 Oct 2019 15:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8427 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 8427-submit@debbugs.gnu.org id=B8427.157158709923810 (code B ref 8427); Sun, 20 Oct 2019 15:59:02 +0000 Original-Received: (at 8427) by debbugs.gnu.org; 20 Oct 2019 15:58:19 +0000 Original-Received: from localhost ([127.0.0.1]:55140 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDb1-0006Bw-9F for submit@debbugs.gnu.org; Sun, 20 Oct 2019 11:58:19 -0400 Original-Received: from mail-pg1-f193.google.com ([209.85.215.193]:45770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMDay-0006Bb-KF for 8427@debbugs.gnu.org; Sun, 20 Oct 2019 11:58:17 -0400 Original-Received: by mail-pg1-f193.google.com with SMTP id r1so6106081pgj.12 for <8427@debbugs.gnu.org>; Sun, 20 Oct 2019 08:58:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cKTT5+32tBDwnKd+2dqtMQ1vK7X91AhV+Fq+zYig430=; b=PWa6nheGpUbtd3REqNJH4vgHFInf03V+pWnAxsMiXz5HH18G2qmCwvwSvmfw/wAabW O8CESPu8MR8YaC3lxpOdhx1op4JS60X9lv3v9oy1BSysA5qVllEbj9NsnJPTtgUIcBi4 uUMj5OhBzy2Ef1tgjCJR8vTYQErLkWh0VGhu7X2Yx/SUmjr1oWBM22J6v3kqrfGFhcwi jc7ZW4rgl71IS8cvgzv8EtO2j4cu3oq60pTgIhokMEMBLZxXh4+jFFW5qLfLktwgXrBx TyyK+f0/E5t2QVhui269LMs0xT/gAQB1DP3zjL/Mf1vdTp5gS3JYaPdMeF5WumBTgyKd +L4Q== X-Gm-Message-State: APjAAAUCTxz/oBUbqv/OZ2YwnheyEM738MSEdViBVPPlr+CahpOV9N/q zQqm5kqaZJtjNl305d7Q12ADl/WKrGyjUo2/UmbWoQ== X-Google-Smtp-Source: APXvYqzFhY8m7Y7o9ge7x3tWl2px6i0mx9pF8oWJbRTKpdjMcVLBpsRG4Ug5jqc9p0sAo83rg1iWFVgyotDXQWVoT4I= X-Received: by 2002:aa7:80c6:: with SMTP id a6mr17683651pfn.107.1571587090268; Sun, 20 Oct 2019 08:58:10 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:169829 Archived-At: --0000000000003fdfbd059559a2ce Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ---------- Forwarded message --------- From: Andrew Hyatt Date: l=C3=B6r 19 okt. 2019 kl 04:07 Subject: Re: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing To: Stefan Kangas I'm attaching the fix. The fix for MySQL was fairly straightforward. I tried it out, and it works. I looked through sql.el for similar issues, and was able to fix Vertica as well, although I've never heard of Vertica before and couldn't test it out. Parameters were set according to the docs at https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVerti= ca/vsql/CommandLineOptions.htm, which does match the existing code. If this looks good to you, I will submit it (I have commit access). Stefan Kangas writes: > Andrew Hyatt writes: > >>> Could you perhaps send your patch here for review? >> >> I no longer know where my changes are. It's been a while. But I think= I can probably recreate them, which I'll try to do this week. > [...] >> The idea is that instead of connecting with the --password arg, it can b= e left out entirely, in which case the program should ask for it (which is = secure). > > Sounds good, thanks. > > Best regards, > Stefan Kangas --0000000000003fdfbd059559a2ce Content-Type: application/x-patch; name="0001-Enable-password-less-connections-for-sql-where-possi.patch" Content-Disposition: attachment; filename="0001-Enable-password-less-connections-for-sql-where-possi.patch" Content-Transfer-Encoding: base64 Content-ID: <16de9e3456edcde19c31> X-Attachment-Id: 16de9e3456edcde19c31 RnJvbSBjYzBiYjE0NTRiMDkwZWJhYWQ5ZjAxZjUwOGE0ZmU1OTg0NDYzZmNlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KRnJvbTogQW5kcmV3IEh5YXR0IDxhaHlhdHRAZ21haWwuY29tPg0KRGF0 ZTogRnJpLCAxOCBPY3QgMjAxOSAyMTo1Njo1MiAtMDQwMA0KU3ViamVjdDogW1BBVENIXSBFbmFi bGUgcGFzc3dvcmQtbGVzcyBjb25uZWN0aW9ucyBmb3Igc3FsIHdoZXJlIHBvc3NpYmxlLg0KDQoq IGxpc3AvcHJvZ21vZGVzL3NxbC5lbCAoc3FsLWNvbWludC1teXNxbCwgc3FsLWNvbWludC12ZXJ0 aWNhKToNCiAgV2hlbiBhIGJsYW5rIHBhc3N3b3JkIGlzIHByb3ZpZGVkIChub3QgZW50ZXJlZCBi eSB0aGUgdXNlciksIHNlbmQgYW4NCiAgYXJndW1lbnQgdG8gc2lnbmFsIHRvIHRoZSBTUUwgcHJv Y2VzcyB0byByZWFkIHRoZSBwYXNzd29yZCBpbnNpZGUNCiAgdGhlIHByb2Nlc3MuICBUaGlzIHJl bW92ZXMgdGhlIHNsaWdodCBjaGFuY2UgdGhhdCBzb21lb25lIGNhbiBzcHkNCiAgb24gdGhlIHBh c3N3b3JkIGZyb20gcHMgb3IgdmlhIG90aGVyIG1ldGhvZHMuDQotLS0NCiBsaXNwL3Byb2dtb2Rl cy9zcWwuZWwgfCA4ICsrKysrLS0tDQogMSBmaWxlIGNoYW5nZWQsIDUgaW5zZXJ0aW9ucygrKSwg MyBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2xpc3AvcHJvZ21vZGVzL3NxbC5lbCBiL2xp c3AvcHJvZ21vZGVzL3NxbC5lbA0KaW5kZXggYjE3MzY0YjA4Zi4uNjQzOWE1OTYzMyAxMDA2NDQN Ci0tLSBhL2xpc3AvcHJvZ21vZGVzL3NxbC5lbA0KKysrIGIvbGlzcC9wcm9nbW9kZXMvc3FsLmVs DQpAQCAtNTE4OCw3ICs1MTg4LDggQEAgVGhlIGRlZmF1bHQgY29tZXMgZnJvbSBgcHJvY2Vzcy1j b2Rpbmctc3lzdGVtLWFsaXN0JyBhbmQNCiAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0gIiIg c3FsLXVzZXIpKQ0KICAgICAgICAgICAgICAgKGxpc3QgKGNvbmNhdCAiLS11c2VyPSIgc3FsLXVz ZXIpKSkNCiAgICAgICAgICAgKGlmIChub3QgKHN0cmluZz0gIiIgc3FsLXBhc3N3b3JkKSkNCi0g ICAgICAgICAgICAgIChsaXN0IChjb25jYXQgIi0tcGFzc3dvcmQ9IiBzcWwtcGFzc3dvcmQpKSkN CisgICAgICAgICAgICAgIChsaXN0IChjb25jYXQgIi0tcGFzc3dvcmQ9IiBzcWwtcGFzc3dvcmQp KQ0KKyAgICAgICAgICAgIChsaXN0ICItLXBhc3N3b3JkIikpDQogICAgICAgICAgIChpZiAobm90 ICg9IDAgc3FsLXBvcnQpKQ0KICAgICAgICAgICAgICAgKGxpc3QgKGNvbmNhdCAiLS1wb3J0PSIg KG51bWJlci10by1zdHJpbmcgc3FsLXBvcnQpKSkpDQogICAgICAgICAgIChpZiAobm90IChzdHJp bmc9ICIiIHNxbC1zZXJ2ZXIpKQ0KQEAgLTU2NDgsOCArNTY0OSw5IEBAIFRoZSBkZWZhdWx0IHZh bHVlIGRpc2FibGVzIHRoZSBpbnRlcm5hbCBwYWdlci4iDQogICAgICAgICAgICAgICAgICAgICAo bGlzdCAiLWgiIHNxbC1zZXJ2ZXIpKQ0KICAgICAgICAgICAgICAgIChhbmQgKG5vdCAoc3RyaW5n PSAiIiBzcWwtZGF0YWJhc2UpKQ0KICAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi1kIiBzcWwt ZGF0YWJhc2UpKQ0KLSAgICAgICAgICAgICAgIChhbmQgKG5vdCAoc3RyaW5nPSAiIiBzcWwtcGFz c3dvcmQpKQ0KLSAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi13IiBzcWwtcGFzc3dvcmQpKQ0K KyAgICAgICAgICAgICAgIChpZiAobm90IChzdHJpbmc9ICIiIHNxbC1wYXNzd29yZCkpDQorICAg ICAgICAgICAgICAgICAgIChsaXN0ICItdyIgc3FsLXBhc3N3b3JkKQ0KKyAgICAgICAgICAgICAg ICAgIi1XIikNCiAgICAgICAgICAgICAgICAoYW5kIChub3QgKHN0cmluZz0gIiIgc3FsLXVzZXIp KQ0KICAgICAgICAgICAgICAgICAgICAgKGxpc3QgIi1VIiBzcWwtdXNlcikpDQogICAgICAgICAg ICAgICAgb3B0aW9ucykNCi0tIA0KMi4xOS4wLjYwNS5nMDFkMzcxZjc0MS1nb29nDQoNCg== --0000000000003fdfbd059559a2ce--