buglet in --passphrase-fd option in 1.0.6

William Harold Newman william.newman@airmail.net
Mon Mar 4 17:21:02 2002


I was playing around with the --passphrase-fd option under Emacs shell
mode (with gpg-1.0.6, under OpenBSD 2.9), and noticed that the output
looks like

$ lightning:/tmp (emacs *shell*) $
echo ppp | gpg --symmetric --passphrase-fd 0 foo
gpg: Warning: using insecure memory!
Reading passphrase from file descriptor 0 ...^H^H^H

where the extra ^H characters are ASCII BS='\010', not the '^'
followed by 'H' that I've munged them into so that they'll be visible
in everyone's mailer. Under an ordinary terminal, the ^H characters
wouldn't be visible, and so they could've been overlooked so far, but
in my Emacs window, they were visible.

The extra ^H characters aren't a big deal, but they seem pointless and
untidy, potentially either messing up someone's screen on a display
which places special significance on ASCII BS characters, or even
leaking a few bits of information about the passphrase (i.e. its
length) under some even more obscure circumstance.

-- 
William Harold Newman <william.newman@airmail.net>
"Look on my works, ye Mighty, and despair!" -- Ozymandias, King of Kings 
PGP key fingerprint 85 CE 1C BA 79 8D 51 8C  B9 25 FB EE E0 C3 E5 7C