Re: Security flaw in pgg-gpg-process-region?

[Miles Bader]

Daiki Ueno <address@hidden> writes:
>> > In current Emacs CVS in fact `call-process-region' uses temp files.
>> > Bad.  I think this is a severe security problem, isn't it?
>
>> Why?  AFAICS, Emacs uses mkstemp when available, which should get the
>> permissions right.
>
> May I answer the question on behalf of Reiner Steib?
>
> When decrypting PGP messages PGG will send your passphrase along with
> data, so if Emacs process is killed and you have stolen your note PC,
> your passphrase can also be stolen from the temp file.

It would probably be fairly simple to change the implementation to
unlink the temp file _before_ writing the contents and pass only the
still-open file-descriptor (after rewinding) to Fcall_process (or
rather, to some common subroutine derived from Fcall_process).

I suppose the annoying part would be making sure everything still worked
on systems like ms-windows; I don't know if they support the common
"open and unlink before using" idiom for temp files in unix.

-Miles
-- 
Quidquid latine dictum sit, altum viditur.