[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw in pgg-gpg-process-region?

From: Chong Yidong
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Thu, 07 Sep 2006 10:12:32 -0400
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)

Florian Weimer <address@hidden> writes:

> * Richard Stallman:
>>     It would probably be fairly simple to change the implementation to
>>     unlink the temp file _before_ writing the contents and pass only the
>>     still-open file-descriptor (after rewinding) to Fcall_process (or
>>     rather, to some common subroutine derived from Fcall_process).
>> We would have to unlink the file before writing the contents into it.
> This doesn't achieve much, I'm afraid.  Even unnamed files can be
> written to disk by the kernel.  It's not much different from
> passphrases stored in process images ending up in the swap file,
> though.  I'm pretty sure I looked at the situation when I wrote gpg.el
> a couple of years ago, and decided that all things considered, it's
> not terribly important.

In any case, I've looked into changing Fcall_process_region to do the
unlink-before-write trick, and changing Fcall_process to accept a file
descriptor.  It's a rather big and messy job.  Since it wouldn't
completely solve the problem anyway, could we postphone this for after
the release?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]