From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: Re: Security flaw in pgg-gpg-process-region? Date: Tue, 05 Sep 2006 05:43:27 -0400 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> Reply-To: rms@gnu.org NNTP-Posting-Host: main.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: sea.gmane.org 1157449474 9214 80.91.229.2 (5 Sep 2006 09:44:34 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 5 Sep 2006 09:44:34 +0000 (UTC) Cc: fw@deneb.enyo.de, jas@extundo.com, satyaki@chicory.stanford.edu, ding@gnus.org, Reiner.Steib@gmx.de, emacs-devel@gnu.org Original-X-From: ding-owner+m12192@lists.math.uh.edu Tue Sep 05 11:44:30 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GKXTm-0006S5-PF for ding-account@gmane.org; Tue, 05 Sep 2006 11:44:26 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1GKXTj-0002QC-00; Tue, 05 Sep 2006 04:44:23 -0500 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1GKXSu-0002Q6-00 for ding@lists.math.uh.edu; Tue, 05 Sep 2006 04:43:32 -0500 Original-Received: from quimby.gnus.org ([80.91.227.211]) by mx1.math.uh.edu with esmtp (Exim 4.52) id 1GKXSs-0006OE-SZ for ding@lists.math.uh.edu; Tue, 05 Sep 2006 04:43:32 -0500 Original-Received: from fencepost.gnu.org ([199.232.76.164]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1GKXSr-0004Fg-00 for ; Tue, 05 Sep 2006 11:43:29 +0200 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.34) id 1GKXSp-0002f5-Gr; Tue, 05 Sep 2006 05:43:27 -0400 Original-To: Daiki Ueno In-reply-to: (message from Daiki Ueno on Mon, 04 Sep 2006 11:04:38 +0900) X-Spam-Score: -2.6 (--) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:63665 gmane.emacs.devel:59359 Archived-At: When decrypting PGP messages PGG will send your passphrase along with data, so if Emacs process is killed and [someone else has] stolen your note PC, your passphrase can also be stolen from the temp file. Since it is not likely for Emacs to be killed just while it is running GPG, I think that very few users have such temp files lying around. So the thief would need to be very lucky (as well as knowing about such things) in order get anyone's pass phrase. Therefore, I think it is not desperately urgent to fix this. We should fix it if it is feasible, but it may be hard. It would probably be fairly simple to change the implementation to unlink the temp file _before_ writing the contents and pass only the still-open file-descriptor (after rewinding) to Fcall_process (or rather, to some common subroutine derived from Fcall_process). We would have to unlink the file before writing the contents into it. That would be somewhat more work, since Fwrite_region needs to be able to use an already-open descriptor, too. Still, it is possible in principle. Would someone like to try it? We could make the problem even more unlikely if we can arrange for Emacs to delete any such temp files that are lying around when it starts. For this, the hard part is dealing with multiple machines that share the same temp file directory. In that case, Emacs can't tell whether the Emacs that wrote a certain temp file is still alive. However, if Emacs put the machine name, user name and process ID into the file name, then each Emacs could tell which of these temp files are from the same machine and same user; then it could check whether those processes are still alive. This way, the thief would have to get your machine after Emacs dies while running GPG and before you start another Emacs.