[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[O] org-crypt.el security problem (From: Milan Zamazal)
|
From: |
Peter Jones |
|
Subject: |
[O] org-crypt.el security problem (From: Milan Zamazal) |
|
Date: |
Fri, 04 Mar 2011 08:06:40 -0700 |
|
User-agent: |
Gnus/5.110013 (No Gnus v0.13) Emacs/23.2 (darwin) |
Here is an email I received from Milan Zamazal:
,----
| I don't know whether you are aware of this, but I consider it a serious
| security problem of org-crypt.el in (at least) Emacs 23.2:
|
| I've found out that when I edit a (decrypted) crypt entry and the edited
| file is autosaved, the autosaved file contains the given crypt entry in
| plain text. So unless the user has got a special arrangement of storing
| autosave files to a secure location where they are also deleted
| securely, the secret content may be accessed either in the autosave file
| directly, or it may be later retrieved by an off-line attacker from the
| deleted file content that remained stored somewhere on the disk.
|
| This should be fixed or at least a big warning should be placed in
| org-crypt.el.
`----
I don't have time to look into this. Would someone please see if there
is a way to prevent it. Off the top of my head, the only thing I can
think of is disabling autosave for any org buffer that uses org-crypt.
Hopefully there's an autosave hook where you can encrypt the headings
and save to disk using a temporary buffer without having to alter the
current buffer and interrupt the user by encrypting a heading that is
being edited.
--
Peter Jones - pmade inc.
303-219-0226 http://pmade.com
- [O] org-crypt.el security problem (From: Milan Zamazal),
Peter Jones <=
Re: [O] org-crypt.el security problem (From: Milan Zamazal), Bastien, 2011/03/06