buglet in --passphrase-fd option in 1.0.6
William Harold Newman
william.newman at airmail.net
Mon Mar 4 17:21:02 CET 2002
I was playing around with the --passphrase-fd option under Emacs shell
mode (with gpg-1.0.6, under OpenBSD 2.9), and noticed that the output
$ lightning:/tmp (emacs *shell*) $
echo ppp | gpg --symmetric --passphrase-fd 0 foo
gpg: Warning: using insecure memory!
Reading passphrase from file descriptor 0 ...^H^H^H
where the extra ^H characters are ASCII BS='\010', not the '^'
followed by 'H' that I've munged them into so that they'll be visible
in everyone's mailer. Under an ordinary terminal, the ^H characters
wouldn't be visible, and so they could've been overlooked so far, but
in my Emacs window, they were visible.
The extra ^H characters aren't a big deal, but they seem pointless and
untidy, potentially either messing up someone's screen on a display
which places special significance on ASCII BS characters, or even
leaking a few bits of information about the passphrase (i.e. its
length) under some even more obscure circumstance.
William Harold Newman <william.newman at airmail.net>
"Look on my works, ye Mighty, and despair!" -- Ozymandias, King of Kings
PGP key fingerprint 85 CE 1C BA 79 8D 51 8C B9 25 FB EE E0 C3 E5 7C
More information about the Gnupg-devel