emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw in pgg-gpg-process-region?

From: Richard Stallman
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Thu, 07 Sep 2006 17:14:11 -0400 
    ^C in the terminal where the user launched Emacs (without -nw.)  In this
    case Emacs can't be said to be "killed" but it is enough to leave the
    tempfile on the filesystem after the Emacs process terminated.

Do you actually find that users do this while running mailcrypt?
It seems like a strange thing to do; wouldn't they try C-g first,
most of the time?

By unlinking the temp file before writing it, we could avoid the
problem that the file might remain in /tmp.  As others have pointed
out, this won't avoid the problem that the passphrase could have been
written to some disk block while it was in the unlinked file, and it
could remain there, readable by reading the raw disk.  It could also
be saved on disk due swapping of Emacs.

So the real question is, how far should we go?  To what level of
smallness do we need to reduce this problem?  And how far do we need
to go now, before the Emacs 22 release?

I have cc'd Werner Koch, in the hope that he can give us some advice.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]